Making GRC work for the Organization

By Craig Spielmann, Risk Intelligence Leader, CNM LLP

I developed and managed one of the first commercial GRC systems, Horizon, while at JP Morgan. It was developed to increase risk reporting, productivity, and ease of use for global staff.

As the Global Head of JPM’s IT Risk Management function, I was tasked to rollout RCSA globally to all IT. The problem was, I was in the job one week when this regulatory dictate came in as response to an industry event (1996 Sumitomo Unauthorized Copper Trading Scandal).

As this was a new area, my staff was limited to me and half of an admin. I went around the world and completed 200 RCSAs on spreadsheets. The results were interesting but not worth the effort. We then decided to create “Horizon” a web-based GRC system with a smart interface, graphical reporting, a new algorithm, automated reminders and much more. We also completely changed the risk methodology. Instead of asking people what their risk was, we told them. We created “risk templates” and tied them to organization, processes, and locations. We also developed a Risk & Control Taxonomy which was essential for data aggregation and Board & Regulatory level reporting.

Once we rolled out the system globally across all business and shared services, our CEO, Sandy Warner, was so impressed that he suggested we commercialize it. We developed a relationship with Ernest & Young to sell it with their consulting services, which led to deals with Merrill Lynch, The Federal Reserve, British Petroleum, Prudential, Bank of China, Bank of Tokyo, HKMA, The World Bank, etc.

We developed a very strong client steering committee, which helped to drive future developments and versions. It was amazing to see how different organizations evolved their use of Horizon. My team created the product, but our clients evolved it beyond anything we could have imagined.

After leaving JPM, I managed Archer, Orbit and several other GRC tools for top financial institutions. Currently, there are many high-quality products to choose from, but companies still struggle with their implementations.

Today, I consult with businesses that are selecting or rolling out GRC tools. I also teach classes on ERM and ask people if they are happy with their tools. 99% say “no.” However, it’s generally not the fault of the specific GRC tool, but the configurations that the internal staff decided on. Here are some recommendations:

1- Methodology – A strong and well thought out methodology is essential before a tool should be added. There are many decisions that are required to be made that could impact the success of the tool. Beside the basics, how do you handle sharded services, can you have multiple areas own a risk, who is authorized to sign off on a assessment, issue or action plan, scoring methodology, etc. Thinking that a technology solution will solve a weak or flawed methodology is not a good idea.

2- Configuration – Configure workflow to make it easy for groups to work together and complete their assessment sections. Connect your GRC system to your HR systems to make it easy for people to select the relevant players necessary to complete an assessment. Try to make the rules as “less restrictive” as possible.

3- Reporting – Design reports first before designing the inputs and organizational structures. Reports should satisfy all key stakeholders (Boards, Regulators, on down) with current and future needs. You don’t want to rely on just what the tool comes with. In my experience, 3rd party reporting systems like OBIEE or Tableau are required to create customized reporting. We also created our own applications to deliver risk data from several separate risk systems to client’s desktops so they could stay on top of their exposures and commitments without logging on to the GRC system.

4- Standard Taxonomy – Risk, Control and Process taxonomies are required for aggerate senior management reporting. You need to understand the number of levels needed to satisfy their requirements. Additionally, you want to aggerate data to determine where you may have systemic risk in more than one area.

In conclusion, a great GRC system is easy to use, has excellent response time, flexibility & dynamic reporting, can meet organizational changes, and is highly efficient. Additionally, it represents the risk organization in a highly professional and smart light to senior management and staff. Lastly, a strong and consistent GRC Steering committee is essential for success. They will come together to provide support, address issues, and prioritize future development.

About the author
Craig Spielmann is in CNM’s Risk Intelligence Leader. Craig is an industry leader in Enterprise Risk Management and Technology. Craig has over 35 years’ experience in financial services and created risk management methodologies and GRC applications that have been adopted by industry leaders such as the Federal Reserve, JP Morgan, Bank of China, Swiss Re, HKMA, British Petroleum, Freddie Mac, The World Bank, etc.

Craig led JP Morgan’s Horizon Risk Business and was the leader in attaining a US patent on Method & System for Managing Risk (US -7113914B!). Craig is a frequent risk industry speaker on ERM, GRC, Artificial Intelligence, Technology and Climate Change.

Prior to joining CNM. Craig held senior risk management leadership positions at First Data, Royal Bank of Scotland, Citi and JP Morgan.

Hot Topics

Related Articles