Multiple stacks of coins on top of a graph

GRC Journey Framework

Nasdaq BWise, the centerpiece of the Nasdaq GRC platform , offers a flexible set of seamlessly integrated solutions for Audit, Risk Management, Regulatory Compliance, Internal Controls and Information Security. BWise solutions are based on best practices and designed to streamline GRC processes and empower customer decision-making, ultimately enabling improved financial, strategic and operational efficiency.

As a result of this foundation, the platform can be implemented in a variety of ways and, in order to take advantage of its "best in class" potential and quickly support business areas, we suggest following a journey of up to five portals, or "Gates".

This methodology, called "GRC JOURNEY FRAMEWORK", allows our clients to progressively extend the maturity of risk management systems and internal controls, combining this evolution with financial investments, while empowering stakeholders to measure the gains in operational efficiency and management.

GRC framework image September 2017

Let's detail each phase.

Design for methodological configuration

This stage can be considered as the foundation of the implementation, and is composed of: i) the methodologies of internal controls and risk management, represented by the process, risk and control dictionaries; ii) the structure and functioning of corporate governance, iii) legal vehicles and organizational structures, and iv) the owners of processes and risks. As a result, we have the business design for platform configuration.

Client strategy - Gate 1

We consider it a prerequisite to know the strategic objectives of the organization in order to determine the GRC Journey. The initial effort is to capture the information the company already uses in its process of managing and evaluating internal controls, uploading and organizing them on the Nasdaq BWise platform.

At this point, we are building the elements of Gate 1 with data collection and documentation being the first step.

The strategic objectives need to be translated into the GRC Framework language to allow the creation of Risk and Performance Indicators. As an example, let us assume that the strategic objective is to increase sales of a given product by 20%, with a risk appetite for operational losses of 1% and a credit default upper limit of 1.5%. With this information, we can construct several indicators: the performance of Sales, the Risk of Operational Loss, the Risk of Credit and a Risk of Legal Actions.

Products - Gate 1

Depending on the strategic direction, the project output will be described in GRC products. As an example, we mention:

  • Validation of Quantitative Models;
  • Integrity Program (Brazilian Law 12.846 / 2013);
  • Evaluation by COSO 2013 - Internal Control Framework;
  • Policy and Standards Management;
  • Product Governance.
  • The premise is to derive maximum benefit from the BWise software platform by selecting products which are not well supported in the existing organization.

Key Indicators - Gate 1

One of the objectives of the GRC Journey Framework is to measure efficiency gains and return on investment made on the Nasdaq BWise platform. The indicators will be benchmarked at the beginning of the project and follow the evolution and results that the BWise software is delivering under the concept of operational efficiency. Some examples of indicators are:

  • Headcount involved in control and management activities;
  • Hours dedicated exclusively to control and management activities;
  • Type and frequency of manual activities to control and generate data or reports for management;
  • Amounts related to fraud and operational expenses related to the corresponding Gate project;
  • Average time in hours for generating information for other areas and regulators;
  • Quantity of manual controls, and
  • An indicator of return on investment made.

The project team, together with the Board of Directors or Committee of Risks / Internal Controls need to validate the method of measuring the maturity of the system of internal controls / risk management.

Each indicator should have a calculation rationale, data source and measurement frequency.

Results - Gate 1

Define with the Sponsor of the Deployment Project, or with the Steering Committee, the frequency of presentation of the results of the indicators or other relevant meter that is required during the process.

It is important to align these results with the indicators defined by the company to follow its strategic objectives.

Mentoring - Towards Gate 2

Depending on the size of the project, the governance structure needs to be formalized. The reporting may include several Gates and have a forecast of implementation through triggers, which can be deadlines or reach maturity of the system of internal controls or risk management.

If this is not the case, the alternative is to perform the Mentoring activity, which consists of an evaluation by the Practice Leader team of the evolution opportunities that the client company presents in a given moment containing steps, Nasdaq products, consulting services, etc. At each evaluation, an opportunity document is generated that must be presented to the Company's Management, preferably associated with the strategic plan of the client company.

This document, when approved, generates a new Road Map for the evolution of the maturity of the system of internal controls or risk management, where the following steps will be developed: configuration drawing, product definition, key indicators definition and monitoring of results creating a virtuous circle of development of GRC activity in the client company with the support of the Nasdaq BWise platform.

If you would like to learn more, please contact us.

Wagner R. Pugliese is a Practice Leader at Nasdaq Bwise in Brazil. He has over 35 years' experience as a senior executive of internal audit, compliance, operational risk and internal controls at Itaú Unibanco, Duratex and Banco Votorantim. He has held various positions as a member of Audit Committees, as president of CLAIN-Latin American Committee of Internal Audit and Risk Management of Felaban - Federación Latino -Americana de Bancos and as Sector Audit Director at Febraban - Brazilian Banking Federation.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.