Mastering Risk with “Data-Driven GRC”

Where are organizations heading ?

“Data Driven GRC” represents a consolidation of methodologies, both functional and technological, that dramatically enhance the opportunity to address emerging risk landscapes and, in turn, maximizing the reliability of organizational performance. This paper examines the key opportunities to leverage change—both from a risk and an organizational performance management perspective—to build integrated, data-driven GRC processes that optimize the value of audit and risk management activities, as well as the investments in supporting tools and techniques.

Functional Stakeholders of GRC Processes and Technology

The Institute of Internal Auditors’ (IIA) “Three Lines of Defense in Effective Risk Management and Control” model specifically addresses the “who and what” of risk management and control. It distinguishes and describes three role- and responsibility-driven functions :

  • Those that own and manage risks (management – the “first line”)
  • Those that oversee risks (risk, compliance, financial controls, IT – the “second line”)
  • Those functions that provide independent assurance over risks (internal audit – the “third line”)

The overarching context of these three lines acknowledges the broader role of organizational governance and governing bodies.

Technology Deficiencies in the Three Lines of Defense

Since the emergence of Sarbanes-Oxley, the use of technology in risk and control related processes has truly started to take meaningful shape in many organizations. However, when looking across the risk and control oriented functions in most organizations, technology is still typically used on a departmental or point solution basis.

Third Line (internal audit) use of risk & control technology

For the past decade, surveys of internal auditors have consistently identified the more effective use of technology as among the most pressing issues facing the profession. Specifically, the responses to the surveys also referred to the need for increased use of technology for audit analysis, fraud detection, and continuous auditing. Other surveys also highlight a shortage of sufficient technology and data analysis skills within audit departments.

Much of the driving force for improving the use of technology is based on the desire to make the audit process itself more efficient and more effective, as well as to deliver more tangible value to the rest of the organization.

During the past decade, the role of the internal audit function itself has changed considerably. Internal audit’s traditional focus on cyclical audits and testing internal controls is evolving into one in which internal audit is expected to assess and report on the effectiveness of management’s processes to address risk overall. This often includes providing guidance and consultation to the business on best practices for managing risk and compliance within business process areas and maintaining effective control systems. The use of technology is an increasingly critical component of these best practices and in some cases internal audit is able to champion the implementation of high-impact, high-value technology within the business’s risk management and compliance processes, based on their own experience in using technology for assurance purposes.

There is considerable variation in the extent to which internal audit departments leverage technology. However it is certainly fair to say that for audit to be truly valuable and relevant within the context of organizational strategy, a significant improvement is required across the board. Internal audit as a profession simply is not moving forward at the pace of technology.

Some specific statistics from recent research reveals:

  • Only approximately 40% of internal audit departments use audit and documentation management systems from specialized vendors. The remainder use disorganized tools and processes, typically based on Microsoft Office® & shared folders.
  • Audit programs for specific business process areas and industries are usually developed through a combination of previously used programs and those shared on various audit-related websites. This approach does not address organization-specific risk.
  • Next generation testing techniques, especially data analytics, are overwhelmingly underutilized.

Second Line (risk, compliance, financial controls, IT) use of risk & control technology

Outside of audit, in other areas of risk and compliance, some organizations have acquired specialized departmental software, but the majority use only basic Office tools to maintain inventories of risks, document controls and perform risk assessments. In larger enterprises, it is not unusual to have a variety of different technologies and approaches applied in different operational entities or in different functional areas. This approach is usually more costly and less effective than one based on a common platform. Effective testing methods using technology are usually unavailable or left unconsidered.

In fact, second line of defense functions often rely heavily on inquiry-based methods such as surveying, which are proven ineffective at identifying the actual manifestations of risk in the organization. If analytical software is used in the business for investigations or monitoring transactions, it in many cases involves standard query tools or some form of generic business intelligence (BI) technology. Although good for providing summary level information or high-level trends, BI tools struggle to show the root cause of problems. And while they may have certain capabilities to prevent fraud and errors from occurring, or to flag exceptions, they are not sufficient to effectively trap the typical problem transactions that occur.

First Line (management) use of risk & control technology

While in some cases, first line management have access to better technology for use on specific pain point areas (e.g., continuous transaction monitoring technology used within finance departments), there is a common tendency for management to place far too much reliance on core business systems for effective control. While the large ERP and other system vendors seem to have extensive capabilities for preventing control deficiencies, the reality is that these are extremely extensive and complex systems and internal controls are usually the afterthought of those implementing them, not a core focus. For example, in many cases certain control settings are turned off to enable the ERP system to run more efficiently.

An integrated and collaborative approach to managing risks and monitoring controls in collaboration with the second and third lines of defense, using a common, independent methodology and technology platform, typically proves the most effective in accomplishing management’s key risk mitigation strategies.

DD GRC

 

Click here to access ACL’s White Paper

By investing heavily in start-ups and technology, (re)insurance companies appear to have assumed a semblance of control over the InsurTech revolution

Who Benefits from Modularization?

With technology moving forward at an unprecedented pace, incumbents are increasingly electing to outsource functions to highly specialized new entrants, renting evolving modules of technology that can be tailored to suit their individual needs. Though this approach may be more cost effective, it further fuels the question of whether incumbents will allow value in the industry to shift towards new entrants. In time, market participants will come to understand which module in the chain generates the most value. It is plausible that automation in distribution will shift value towards efficiency of internal processes that support cutting-edge modeling and underwriting engines.

InsT0

The State of InsurTech

InsurTech funding volume increased 36% year-over-year in 2017, demonstrating that technology driven innovation remains a core focus area for (re)insurance companies and investors heading into 2018. However, perhaps contrary to many of the opinions championed in editorial and press coverage of the InsurTech sector, further analysis of the growing number of start-ups successfully attracting capital from (re)insurers and financial investors reveals that the majority of InsurTech ventures are not focused on exiling incumbents by disrupting the pressured insurance value chain. According to research from McKinsey & Company,

  • 61% of InsurTech companies aim to enable the value chain,
  • 30% are attempting to disintermediate incumbents from customers
  • 9% are targeting full scale value chain disruption.

Has the hype surrounding InsurTech fostered unjustified fear from overly defensive incumbents?

We have taken this analysis a step further by tracking funding volume from strategic (re)insurers versus financial investors for InsurTechs focused on enabling the value chain relative to their counterparts attempting to disintermediate customers from incumbents or disrupt the value chain altogether and found that 65% of strategic (re)insurer InsurTech investments have been concentrated in companies enabling the value chain, with only 35% of incumbent investments going to start-ups with more disruptive business models. What does it mean? While recognizing the subjective nature of surmising an early stage company’s ultimate industry application at maturity from its initial focus, we attribute this phenomenon to the tendency of incumbents to, consciously or subconsciously, encourage development of less perceptibly threatening innovation while avoiding more radical, potentially intimidating technologies and applications.

Recognizing that this behavior may allow incumbents to preserve a palatable status quo, it should be considered in the context in which individual investments are evaluated – on the basis of expected benefits relative to potential risk. We have listed several benefits that InsurTechs offer to incumbents :

InsT1

Segmenting the InsurTech Universe

As InsurTech start-ups continue to emerge across the various components of the insurance value chain and business lines, incumbents and investors are evaluating opportunities to deploy these applications in the insurance industry today and in the future. To simplify the process of identifying useful and potentially transformational technologies and applications, we have endeavored to segment the increasingly broad universe of InsurTech companies by their core function into four categories:

  1. Product & Distribution
  2. Business Process Enhancement
  3. Data & Analytics
  4. Claims Management

This exercise is complicated by the tendency of companies to operate across multiple functions, so significant professional judgment was used in determining the assignment for each company. A summary of the criteria used to determine placement is listed below. On the following pages, we have included market maps to provide a high level perspective of the number of players in each category, as well as a competitive assessment of each subsector and our expectations for each market going forward. Selected companies in each category, ranked by the amount of funding they have raised to date, are listed, followed by more detailed overviews and Q&A with selected representative companies from each subsector.

InsT2

Click here to access WTW’s detailed birefing

Keeping up with shifting compliance goalposts in 2018 – Five focal areas for investment

Stakeholders across the organization are increasingly seeking greater compliance effectiveness, efficiency, cost cutting, and agility in compliance activities to further compete in the expanding digital and automated world.

Organizations are being reinforced this way to continuously improve their compliance activities, because in the future, integration and automation of compliance activities is an imperative. To prepare for tomorrow, organizations must invest today.

When positioning your organization for the future, keep in mind the following five areas for investment:

1. Operational integration

Regulators are increasingly spotlighting the need for operational integration within a compliance risk management program, meaning that compliance needs to be integrated in business processes and into people’s performance of their job duties on a day-to-day basis.

When approaching the governance of managing compliance efforts, a more centralized, or a hybrid approach, strengthens the organization’s overall compliance risk management control environment.

2. Automation of compliance activities

The effectiveness of compliance increases when there is integration across an enterprise and successful automation of processes. Compliance leaders are turning toward intelligent automation as an answer for slimming down compliance costs, and becoming more nimble and agile in an ever-increasingly competitive world. When intelligent automation is on the table to support possible compliance activities, some important considerations must be made:

  • Compliance program goals for the future
  • Implementation dependencies and interdependencies
  • Determining how automation will and can support the business
  • Enhancing competitiveness and agility in executing its compliance activities

Automating compliance activities can also help augment resource allocation and realize greater accuracy by implementing repetitive tasks into the automation.

3. Accountability

Regulators increasingly expect organization to implement performance management and compensation programs to encourage prudent risk-taking. In fact, identified by the KPMG CCO Survey, 55% of CCOs identified “enhancing accountability and compliance responsibilities” as a top 3 priority in 2017.

It is essential that disciplinary and incentive protocols be consistently applied to high-level employees. To do so sends a message that seniority and success do not exempt anyone from following the rules.

4. Formalized risk assessments

Regulatory guidelines and expectations released in 2017 set forth specific focal areas that compliance leaders should ensure are covered in their risk assessments.

  • Evaluating the data needs of the compliance program can help the organization migrate to a more data-driven metrics environment in a controlled way.
  • Availability, integrity, and accuracy of data is needed to understand and assess compliance risks enterprise-wide. The use of data quality assessments to evaluate the compliance impact can help address this challenge.
  • Implementing a data governance model to share data across the 3 lines of defense is a good way of reassuring data owners and stakeholders that the data will be used consistent with the agreed upon model.
  • Further integration and aggregation of data is needed to avoid unintentionally ‘underestimating” compliance risks because of continuous change in measurement of compliance programs and data & analytics.
  • To maximize the benefits of data & analytics, leading organizations are building analytics directly into their compliance processes in order to identify risk scenarios in real time and to enhance their risk coverage in a cost-effective way.

5. Continuous improvement

Compliance efforts by organizations need to continuously evolve to ensure the control environment remains firm while risk trends appear, risks emerge, and regulatory expectations shift.

Compliance and business leaders must continuously improve their compliance activities in pursuit of greater effectiveness, efficiency, agility, and resiliency. Because by continuously improving, organizations can methodically position their organizations for the future.

KPMG

Click here to access KPMG’s detailed White Paper

State of Digital Analytics: The Persistent Challenge of Data Access & Governance

Disjointed, inaccessible data is a major productivity inhibitor for analytics teams, diverting skilled resources from contributing to valuable business intelligence.

Analytics teams struggle with data access. In addition to listing data silos and data access among both their top data and analytics challenges, above, nearly three in five said it takes days or weeks to access all the data needed for their work or the work of the teams they manage. Only a third were able to access all their data in a day or less.

AMOUNT OF TIME FOR ANALYSTS AND ANALYTICS TEAMS TO ACCESS DATA

Nearly two in five analytics professionals are spending more than half of their work week on tasks unrelated to actual analysis. Forty-four percent of managers reported that more than half of their team’s work week is spent accessing, blending, and preparing data rather than analyzing it, while 31 percent of analysts said they spend more than half of their work week on data housekeeping.

TIME SPENT PREPPING DATA, RATHER THAN ANALYZING IT

As a result, the majority of analysts have found it necessary to learn programming languages specifically to help them access and/or prepare data for analysis. Outside of mandates from their employers, a full 70 percent of analysts reported taking it upon themselves to learn to code for this reason, and more than a quarter of those analysts have spent 80 or more hours learning to program.

ANALYSTS LEARNING PROGRAMMING SKILLS TO OVERCOME DATA ISSUES

It should go without saying that data professionals tasked with analyzing organizational information meaningfully and actionably cannot adequately perform their core job function without accurate data. Yet in addition to raising the data access challenges above, the industry is also split in terms of confidence in data accuracy. Nearly half reported that they question the accuracy of the data they or the teams they manage use regularly, while a little more than half said they are confident about their data.

Data Analysis

Click here to access TMMData’s detailed Survey Results

What’s now and next in Analytics, AI, and Automation

Over the past few years, rapid technological advances in digitization and data and analytics have been

  • reshaping the business landscape,
  • supercharging performance
  • and enabling the emergence of new business innovations
  • and new forms of competition
  • and business disruption.

Yet progress has been uneven. While many companies struggle to harness the power of these technologies, companies that are fully leveraging the capabilities are capturing disproportionate benefits, transforming their businesses and outpacing—and occasionally disrupting—the rest.

At the same time the technology itself continues to evolve rapidly, bringing new waves of advances in

  • robotics,
  • analytics,
  • and artificial intelligence (AI),
  • and especially machine learning.

Together they amount to a step change in technical capabilities that could have profound implications for business, for the economy, and more broadly for society as a whole. Machines today increasingly match or outperform human performance in a range of work activities, including ones that require cognitive capabilities, learning, making tacit judgments, sensing emotion, and even driving—activities that used to be considered safe from automation. Adoption of these technologies could bring significant new performance and transformational benefits to companies that go beyond simply substituting labor and lead to previously unimagined breakthrough performance and outcomes. Moreover, they have the potential to boost the productivity of the global economy at a time when it is sorely needed for growth and the share of the working-age population is declining.

Yet their advent raises difficult questions about how companies can best prepare for and harness these technologies, the skills and organizational reinvention that will be required to make the most of them, and how the leaders in the private and public sector as well as workers will adapt to the impact on jobs, capability-building and the nature of work itself.

Disruption

MGI-Briefing-Note-Automation-final