Linkedin

Implementation GRC Tooling

Contact us

Case: Implementation Governance Risk & Compliance Tooling

0 M

Duration

0 FTE

Consultants

Table of Contents

BACKGROUND

A financial institution based in the Netherlands needed a GRC solution as part of the improvement in the overall Risk & Compliance framework. The solution would have to be rolled out globally (25+ countries) and would have to adhere to strict governance. Multiple tools were used locally as well as an unsupported tool was running globally.

 

A Risk Control Framework is part of the Internal Control Framework (ICF) or Management Control of an organisation. The Risk Management Framework (RMF) is a  collection of standard to identify, measure, manage en monitor and report on risk. There are different industry standards like COSO ERM and ISO31000 that can be chosen as best practice. Even more detailed frameworks like NIST and COBIT are available. This makes the area complex as companies face different methods to manage risks. 

CHALLENGE

Although the software vendor was already selected, many underlying components were not ready for system implementation. 

  1. The RCF framework required improvements on multiple levels while the company was partly reorganising.
  2. The concept of 3 lines of defence was not crystalized,
  3. The risk and compliance policies and process were under review and the framework / solution would have to operate in ~30 countries.
  4. No process design had taken place and the department leading was just established. 

ASSIGNMENT

Review and revise the different layers of the framework including policies, processes, general governance, people enablement an collect and define the requirements for the target tool. Ensure user stories were made that were implemented by the vendor, including quality control. Apply agile working according to the standard of the company. 

APPROACH

Porteg assembled a team of 6 FTE. 1 Product Owner and Senior Risk Expert, 3 Business Analysts for Process detailing and Technical requirements and 2 Quality Assurance Specialist to ensure quality of delivery. 

Porteg reviewed the current state (As-is) to better understand the gaps and the current process. By combining process and business analysis we were able to paint both the as-is and the to-be situation including detailed workflows and process mapping. We ensured compliance of the new workflows with the policies of the company and aligned it with the 3 lines of defence model deployed. 

The business analysis work was translated into business and technical requirements grouped in different EPICs and maintained through Product Increments and pipelines. The user stories were detailed toward the vendor for delivery and the deliveries were checked by Porteg’s Quality Assurance Engineering team. We facilitated the User Acceptance Test to get the final sign off, before deploying the solution. The solution was first piloted in 5 countries to ensure further continuous improvement, whereafter it was rolled out globally under guidance of Porteg.

RESULT

Within a period of 3 months the first risk tool RCSA was deployed and Immediately used. 3 Months later Incident and Issue management was launched and in the 3 months after Control effectiveness tooling was deployed. All instruments were integrated with a carefully designed core, to generate insights, monitor and maintain the workflows and ensure Segregation of Duties. At it’s peak the backlog for the tool contained over 1000 requirements/user stories for implementation.