Software solution brings measurable improvements for Governance, Risk and Compliance (GRC)
BearingPoint develops a (software) solution for simulation of GRC activities, risks and controls.
Amsterdam, 4th of March 2013 – Incidents of dangerous manufacturing failures, bookkeeping scandals, corruption, fraud, privacy and safety all lead to increasing demand for robust internal control systems and policies. As a result, the importance of better Governance, Risk and Compliance (GRC) is increasing day by day. In this context, BearingPoint (http://www.bearingpoint.com) and the Technical University of Munich have conducted a research project on the maturity level of GRC within companies in The Netherlands, Germany, Austria and Switzerland. This study indicates that GRC as a pillar of a company’s culture is still a fledgling concept. A significant finding is that the automation of GRC processes delivers optimum results. Furthermore the research identified significant potential for GRC to be integrated into existing business processes.
As a result of these findings, BearingPoint has developed an approach to ensure an effective and efficient structure of GRC in combination with business processes and supporting IT systems. This approach delivers direct measurable results by integrating all GRC applicable functionalities into one software module. Based on SAP BusinessObjects, BearingPoint has developed a system which combines the functionalities of risk and policy management, internal control and authorization management. What makes this solution so exceptional is that it can display integrative GRC scenarios incorporating “real” transactional data. Organizational and transactional data of multiple (and comparable) companies forms the basis of the module. By combining this data with the control and test procedures of an organization, BearingPoint is able to display tailor-made scenarios. Crucially, this approach is relevant for every industry.
"This solution makes it possible to improve GRC processes in a fast and effective way. Therefore it will have a direct and permanent impact on the decrease of risk. More importantly, it eventually results in reduction of expenses ", says Anton Weig, Partner at BearingPoint and leader of the Automotive industry practice in Germany. "Crucial for a successful implementation of GRC is the focus on the long term cultural aspect of the organization: it’s about creating awareness of GRC for all employees within the organization.”
Example of an integrated approach for a specific risk
This case will describe the risks that come with non-compliant purchasing activities within organizations. The likelihood of a risk occurring in combination with financial impact (magnitude of costs) is plotted in a risk matrix. The recommended approach for risk management is then defined. The resulting control process may be executed manually or automatically, as required. An example of an automated control process would be a “real-time” test in the ERP system of defined access authorizations and the adherence to those authorizations. This style of testing would ensure adherence to directives such as Segregation of Duties, Thereby preventing, for example, an employee from both entering and approving invoices from a supplier. An example of a manual control could be the way in which an auditor takes a cyclical sample to check for irregularity in payment runs. This process is controlled using a workflow and documented in the system (creating an audit trail). These controls will reduce the financial risk and its probability of occurring. Consequently, the net risk which is displayed in the risk matrix also decreases or is even fully covered.
The above mentioned example is only one of many possible integrated approaches. Based on actual data in the system, every potential risk or customer specific process can be quickly displayed; the BearingPoint solution allows this to be achieved with minimal effort - an invaluable tool when starting a new project.
By automating the processes, integrating all GRC components in an IT environment and creating awareness of GRC throughout the organization, a company can improve its Governance, Risk and Compliance significantly.