ARCLogics Sword Blog

The three lines of defence model is widely used by businesses of all types, across the globe. One of the key requirements of the three lines is the separation and independence of the audit function - the third line of defence. Despite this, there seems to be a trend towards vendors offering GRC solutions that include embedded internal audit management functions. In ARC Logics, we have taken a best of breed approach whereby our audit solution, TeamMate, is separate from our risk and compliance solutions, Sword and Axentis, but is integrated with them. Our customers tell us:

• We want a physically separate database for audit, so we can be certain our audit data is secure.
• We want to be sure that audit functions in the third line of defence are separate from business and assurance functions. While the fully integrated systems support separation of roles and permissions, they don’t guarantee it and would need to be monitored continuously to be certain that this is maintained.
• While we want our audit solution to reflect the risk framework being managed in the first two lines of defence, we want audit to be free to create their own views and extensions and to add risks that are not in the existing risk framework.

These are strong arguments but the killer as far as we are concerned is that our customers tell us they want an audit solution that has been designed and built specifically for auditors, not one that has been bolted on to an existing risk and compliance platform and is, by definition, a compromise.

To answer my own question; all-in-one GRC systems may not specifically compromise good governance but they do make it harder to guarantee the separation of the third line of defence and require additional effort and monitoring to ensure they do not allow good governance practices to be compromised.

Mike MacDonagh

For both Enterprise Risk Management and GRC, we have been encouraged to think of individual silos of risk management or compliance function as a bad thing and their removal as a sign of increasing ERM or GRC maturity. This doesn’t have to be true and indeed, there is a growing belief that it is important to retain the right kind of silos.

Take Audit; there has been a rush among GRC vendors to add audit function to their offering and to integrate it tightly with the risk management and compliance function. As the leading vendor of audit systems, CCH TeamMate are starting to hear of dissatisfaction with this approach. Independence is vital to the auditors’ role and it needs to be guarded jealously. Most importantly, auditors want to be free to choose the best audit tool for their requirements, usually from a specialist supplier.

In this case, Audit Management is a “best of breed” solution that needs to be joined up with other governance, risk and assurance solutions but that integration needs to reflect the needs of auditors and to continue to be developed exclusively with those needs in mind. The same is true of many areas of compliance and risk management. These areas are staffed by skilled experts and those experts need to be given the tools to do their jobs properly.

The trick is to be able to bring these “best of breed” solutions together in the right way to provide management not just with a ‘joined-up’ view of risk, compliance and audit but also with tools that enable them to do something about it.

In our view, the ‘central’ GRC platform needs to have:

• A data warehouse that contains a common view of:
  • the organisational structure
  • the process structure
  • risk and control categories
• Issue and Action Management
• Key Risk and Performance Indicators
• Risk Analytics
• Dashboards and Reporting

This is supported by ‘best of breed’ solutions for:

• Loss Recording
• Risk & Control Self Assessment
• Audit Management
• Compliance Monitoring (e.g. AML, SOx, etc.)
• Continuous Control Monitoring
• Controlled Document Management (inc. Policy & Procedure Management)
• Other risk management solutions (e.g. Credit Risk, Market Risk, etc.)

Mike MacDonagh.

My last post looked at definitions of risk appetite and how it fits into a firm’s risk management environment. In this second part, I want to consider the Governance implications of risk appetite. In basic terms; “What’s it for?”

What is apparent is that the expression of risk appetite needs to be closely linked to the underlying objectives and that expression will depend on the nature of those objectives, especially in how it is measured. If an objective, say with regard to Corporate Social Responsibility, is not defined in financial terms, then the appetite for risk against that objective will probably also not be expressed in financial terms. This gives rise to the idea that each objective is likely to have its own risk distribution curve or profile that maps the probability of differing results, using whatever units the objective is expressed in. Different points on that curve will equate to achievement targets (KPIs) and the appetite/tolerance and capacity to withstand negative results. The role of risk management is to ensure that negative results don’t occur by reducing their probability in line with the group’s appetite. This is done not by attempting to shift the entire curve to the right but by addressing specific risk points, as expressed by risk appetite.

From a Governance perspective it is risk appetite and the associated risk and performance points or thresholds that play the key role of joining the organisation’s primary goals to its risk management framework. Of course, this link isn’t always direct or explicit. Large organisations will have a hierarchy of objectives, from high level business goals, to specific measures given to managers and, perhaps, individuals. It isn’t always the case but this hierarchy should be joined up, so that objectives at the lower levels relate, ultimately, to the organisation’s overall goals. In this way, risks to the fulfilment of those objectives and the appetite for risk against those objectives add together to give an overall view of risk against the high level business objectives and the cost of mitigating them can be measured against the objective itself.

So, getting back to the original question of “What’s it for?”, risk appetite is effectively the glue that joins a firm’s risk management framework to its business goals, directs risk management efforts to the overall benefit of the firm and provides management at all levels of the organisation with a consistent and consolidated view of their risks and how important they are in the overall scheme of things. Used wisely, Risk Appetite can be of great value in helping to ensure business objectives are met and significant risks avoided or mitigated.

Mike MacDonagh

We all recognise the format; one word, four different but apparently plausible definitions but only one is actually true. All good fun but now let’s visit any risk management or compliance conference; at least four vendors touting their wares, all using one term, GRC, but all of them selling something different and who’s bluffing?

Of course I’m not suggesting that our industry is full of liars trying to take advantage of the unwary but the fact is that GRC is a term that perhaps lacks a clear and universally accepted definition and, of course, the tendency for any vendor is to favour an interpretation that most closely fits whatever products it happens to have. This may be a sign that GRC is still an immature discipline but, more likely, it reflects the different directions from which organisations are addressing compliance. For example, a company that already has a good Operational Risk Management solution is likely to look at the possibility of extending that to start provide GRC services (such as centralised issue and action management), or a company that has a strong Audit function might decide to lead their GRC strategy from there. As long as GRC is still a series of steps driven by a vision and is not a single project, this approach is likely to remain in favour.

In this way, diverse vendors will acquire ‘GRC’ customers and then try to leverage those by proposing similar projects to other companies. To the market they simply say; “We have a GRC solution and GRC customers”, not quite true but, in most cases, not a conscious bluff either.

Mike MacDonagh