ARCLogics Sword Blog

The three lines of defence model is widely used by businesses of all types, across the globe. One of the key requirements of the three lines is the separation and independence of the audit function - the third line of defence. Despite this, there seems to be a trend towards vendors offering GRC solutions that include embedded internal audit management functions. In ARC Logics, we have taken a best of breed approach whereby our audit solution, TeamMate, is separate from our risk and compliance solutions, Sword and Axentis, but is integrated with them. Our customers tell us:

• We want a physically separate database for audit, so we can be certain our audit data is secure.
• We want to be sure that audit functions in the third line of defence are separate from business and assurance functions. While the fully integrated systems support separation of roles and permissions, they don’t guarantee it and would need to be monitored continuously to be certain that this is maintained.
• While we want our audit solution to reflect the risk framework being managed in the first two lines of defence, we want audit to be free to create their own views and extensions and to add risks that are not in the existing risk framework.

These are strong arguments but the killer as far as we are concerned is that our customers tell us they want an audit solution that has been designed and built specifically for auditors, not one that has been bolted on to an existing risk and compliance platform and is, by definition, a compromise.

To answer my own question; all-in-one GRC systems may not specifically compromise good governance but they do make it harder to guarantee the separation of the third line of defence and require additional effort and monitoring to ensure they do not allow good governance practices to be compromised.

Mike MacDonagh

For both Enterprise Risk Management and GRC, we have been encouraged to think of individual silos of risk management or compliance function as a bad thing and their removal as a sign of increasing ERM or GRC maturity. This doesn’t have to be true and indeed, there is a growing belief that it is important to retain the right kind of silos.

Take Audit; there has been a rush among GRC vendors to add audit function to their offering and to integrate it tightly with the risk management and compliance function. As the leading vendor of audit systems, CCH TeamMate are starting to hear of dissatisfaction with this approach. Independence is vital to the auditors’ role and it needs to be guarded jealously. Most importantly, auditors want to be free to choose the best audit tool for their requirements, usually from a specialist supplier.

In this case, Audit Management is a “best of breed” solution that needs to be joined up with other governance, risk and assurance solutions but that integration needs to reflect the needs of auditors and to continue to be developed exclusively with those needs in mind. The same is true of many areas of compliance and risk management. These areas are staffed by skilled experts and those experts need to be given the tools to do their jobs properly.

The trick is to be able to bring these “best of breed” solutions together in the right way to provide management not just with a ‘joined-up’ view of risk, compliance and audit but also with tools that enable them to do something about it.

In our view, the ‘central’ GRC platform needs to have:

• A data warehouse that contains a common view of:
  • the organisational structure
  • the process structure
  • risk and control categories
• Issue and Action Management
• Key Risk and Performance Indicators
• Risk Analytics
• Dashboards and Reporting

This is supported by ‘best of breed’ solutions for:

• Loss Recording
• Risk & Control Self Assessment
• Audit Management
• Compliance Monitoring (e.g. AML, SOx, etc.)
• Continuous Control Monitoring
• Controlled Document Management (inc. Policy & Procedure Management)
• Other risk management solutions (e.g. Credit Risk, Market Risk, etc.)

Mike MacDonagh.