Applying IT to GRC

Applying information technology (IT) to governance, risk and compliance (GRC) processes is a challenge, because information is scattered in little bits and pieces in all the business processes across the organization. Compliance risks need to be assessed consistently and systematically enterprise wide, instead of reactively and dissimilarly managed approaches. Not only at the system or project level, but also in a sustainable compliance process at the business processes and lines level. Sander van de Molen (Eureko) and William Janse (Monidee) describe a case in which they cooperated and developed a solution.

Case
Eureko (www.eureko.net) is an integrated international financial services group with a clear and demonstrable focus on value creation for all its stakeholders. Their core business is insurance – life, non-life and health – and services relating to pensions and health.

From 2004, the Dutch Corporate Governance Code (the Code) has been embedded by both listed and non-listed companies alike. It sets out clear governance principles on a ‘comply or explain’ basis. For Eureko, the primary ‘deviations’ relate to how its Supervisory Board is composed. In addition, when Eureko’s Dutch activities, Achmea, merged with Rabobank’s insurer, Interpolis, in 2005, the Group has further adopted new Corporate Governance Principles aimed specifically at its post-merger divisional structure and the accountabilities and responsibilities of each division, staff department and the Executive Board.

At the end of 2006 a new Eureko Compliance Program was written by Eureko Group Compliance & Regulatory Affairs together with the local compliance officers.

Eureko’s challenge was to design state of the art compliance instruments (reporting, monitoring, awareness, compliance themes, etc.) that would be practical and manageable to work with in a group-wide way. Therefore a univocal and efficient compliance management framework of instruments was designed by Group Compliance that could be applied to all diverse business lines within Eureko (Achmea / Interpolis).

The new Compliance Program includes the entire governance. One of the key principles of the Compliance Program was to apply meaningful and comprehensible business-oriented themes (like KYC, privacy, competitive practices, fraud, etc.) instead of the legislation itself. The legislation is therefore translated into themes with associated sets of norms and controls. These compliance themes, associated sets of norms and controls are generic (template) and have been defined at corporate level. For each business line (group) the themes, associated sets of norms and controls are customized and linked to the various operational processes within the business line.

In this way, through self assessments (rating control level), Eureko can assess how each business line 'scores' per theme (compliance scorecard) putting into card the remaining net (residual) risk exposure after assessing the control level. Through a gap analysis, concrete and targeted actions for improvement can be formulated.

This method of applying meaningful and comprehensible business-oriented themes was developed within Eureko. Seventeen compliance themes have been defined and associated legislation was translated into sets of norms and controls. The compliance management framework of themes, associated sets of norms and controls were developed and tested in-house by Eureko in a spreadsheet prototype, including a compliance (risk assessment) rating model (likelihood * impact) that corresponded with existing models within the organization.

In order to go 'live' with the developed compliance management framework, Eureko determined that IT support by efficient and effective tooling was necessary to get the compliance management framework organized from a single point of truth.

From a "First organize, then Automate" perspective, Eureko started the process to choose a tool, considering make or buy, standard vs. customized. A tender was issued where several vendors applied for. Ultimately, Monidee was chosen because of a customized approach based upon standard components. At a reasonable cost and within a short time period Monidee was able to design and develop a powerful, fully customized solution for Eureko (Achmea / Interpolis). In a very tight and harmonious cooperation a solution was designed, developed, tested and is now used within the organization as a tool to manage compliance themes.

Mr. A.C.M. (Sander) van de Molen, Manager, Eureko Group Compliance & Regulatory Affairs

Challenges

How to:
• assess compliance risks consistently and systematically, instead of reactively and dissimilarly managed approaches;
• assess risks not only at the system or project level, but also in a sustainable compliance process at the business processes and lines level;
• categorize / prioritize / translate regulation into meaningful and comprehensible themes / domains (like KYC, privacy, competitive practices, fraud, etc.) from a risk and (strategic) business perspective;

• manage sets of norms & controls regarding compliance themes;
• actively involve the business processes and promote a compliance risk management culture => 'Compliance is (y)our concern';
• manage releases (valid for a specific timeframe) of your compliance / regulatory framework(s) in your organization regarding new and changing regulation;
• periodically (recurrent) perform risk and control self assessments (RCSA) to measure control level(s) and compare over a period of time to determine progress;
• 'keep it simple' and minimal time consuming to conduct (self) assessments;
• aggregate, analyze and report compliance scorecards (risk status) across multiple dimensions;
• implement a compliance (risk assessment) rating model (likelihood * impact) that corresponds with existing models within an organization;
• identify, qualify and quantify inherent and residual (nett) risk exposure;
• identify, qualify and quantify KRI's (Key Risk Indicators);
• ensure follow-up and manage workflow;

Solution
Monidee's solution tControl, known as CoTheSys within Eureko, together with a strong organized Corporate Compliance Competence Center, was implemented and enables Eureko to:
• Increase accuracy and visibility of Compliance risk information;
• Assess compliance risks consistent and systematically enterprise wide at the business process and business line level;
• Promote a Compliance risk management culture in their organization => 'Compliance is (y)our concern';
• Reduce the cost and complexity of Compliance risk management;
• Optimize Compliance business line performance;
• Be in control;
• Demonstrate compliance, as this indicates that they take the risks and interests of their stakeholders seriously