Share this post:
Over the past year, the discussion of governance, risk and compliance (GRC) has continued in stories related to financial services and other sectors. Headlines related to improper conduct, fraud, infringement of privacy data have all contributed to industry re-examining the meaning of GRC in today’s business environment. The argument that non-financial risk must be approached as a responsibility that extends beyond the risk function, and that organizations should move towards connecting compliance and risk activities as a single system. As IBM VP David Marmer previously noted, in 2018, GRC has come of age.
IBM OpenPages 8 – Oversight dashboard
GRC’s coming of age
The reexamining of GRC has resulted in the evolving the definition to one that is more comprehensive and inclusive in its scope. Today, GRC is discussed as aspiring towards a connected system linking the identification, classification, and management of risk across all lines of defense (LOD). The responsibility of managing risk is now understood as extending beyond a view of being a discrete business function to one that “risk is everyone’s job.”
It is understood that the interaction between the traditional three lines of defense continues to evolve. Many of the challenges encountered between these tiers are related to the complexity of tasks, systems, and risk process support. Business lines as the first line of defense teams are often unclear on their role, requiring the support of others in the process. Those in risk and compliance in the second line of defense face the challenges that come from siloed loosely connected operations, the absence of coordination, and limited data and transparency. Similarly, the audit function (third line of defense) is further challenge with outdated management and insight across the organization. These challenges are further compounded by the growing complexity, pace and volume of risk related events bombarding organizations. The results are the potential of organizations not meeting their risk requirements, lack of agility in responding to what is needed, rising costs of risk and compliance, and most importantly, missing critical risk event that are material to the business operations.
Organizations are rethinking their overall GRC mode. They are looking for efficiencies in the systems to drive productivity, increase agility and drive out the growing costs of running their applications. From our engagement with clients and prospects, we see three GRC objectives as paramount:
- Preserve trust and reputation with clients, employees, regulators, partners and the board
- Drive efficiency across risk and compliance processes
- Improve performance using a risk lens to enrich decision-making.
We believe that realizing the objectives of increased stakeholder trust, efficiency, insight, and performance requires solutions that combine systems, the support of domain expertise, and proven practices in solution integration. This year’s release of OpenPages 8 advances operational risk systems further in delivering efficiency, simplicity, and connectedness to GRC professionals.
OpenPages 8: Elevating risk management efficiency, access, and orchestration
With a focus on the three GRC objectives, this year’s release of OpenPages 8 centered on introducing greater access, transparency and usability for both traditional and nontraditional (first LOD) risk actors, and elevating linkage between risk management and risk activity through the risk orchestration. In addition, OpenPages 8 has also transformed the cost and complexity associated with GRC system development and changes and the dependency on IT expertise, to systems that are less complex to build and maintain, allowing for faster and more efficient time to production.
IBM OpenPages 8 – Risk assessment relationship diagram
First line of defense: Access, transparency and usability
Risk management’s three lines of defense continue to see a growing imbalance between the number of first line business users and supporting resources in risk and compliance function (second LOD), and audit (third LOD). While risk, compliance, and audit in many cases continue to involve hundreds of resources in managing GRC activities, they typically are required to support the thousands that occupy the first LOD. With first LOD being business users that are infrequently involved in the risk process, they require support for risk professionals to effectively deliver on what the business needs. The result is inefficiency and cost being added into risk and compliance processes. The first coming from repeating the learning curve in each cycle and distracting second and third LOD from the work requiring their focus. This necessary support negatively impacts the momentum and efficiency in the risk process.
Our time in the field has put a spotlight on the need for GRC solutions that simplify the execution of risk activity by the first LOD towards insuring greater success, timeliness, and confidence in delivering on their risk related requirements. In doing so, the organization benefits from greater trust in the information produced, and better use of resources with risk, compliance and audit teams being afforded more time to focus.
In OpenPages 8, new functionality has been delivered that elevates the first LOD experience and helps organizations in realizing the efficiencies that help second LOD risk teams in maintaining your focus, momentum, and increasing their confidence in the completeness and quality of the information they receive from first-line activities. OpenPages 8 achieves this through its introduction of:
- A reimagined contemporary and intuitive UI
- Risk task-centric use
- Rich on-screen context provided with focused on user tasks
- In-line guidance and full risk task-related detail
- Natural navigation of risk activities
Mission control: Improving risk system orchestration and agility
While improving the first LOD effectiveness in completing tasks, the OpenPages 8 release has also invested in the second LOD’s effective management of the risk system and tasks across the organization. GRC systems deploying new risk use cases have typically required between months to quarters to get into production. This is part has been due to the technical complexity and detailed configuration associated with GRC system changes, and the dependency on IT resources to get the job done.
The question has been “how can we maintain the diligence required in keeping our risk systems current while reducing the barriers to being more agile?” This would require a solution that would simplify the skills required in the system development and change management, that also maintained robust and integrated processes. In addition to system management, effective solutions would also provide a means for risk professionals to monitor activities and manage workloads optimizing the resources available. The ability to orchestrate risk activities as a “mission control” presents further opportunity for new efficiencies and confidence in meeting business requirements.
OpenPages 8 has added new functionality supporting the needs for a faster time to production and greater control and management of risk task workloads across the business. This release has introduced a new paradigm that makes the process of introducing new use cases and changes to the risk system both understandable and within the reach of second LOD business resources: reducing the dependency on IT. The result is a change in time to production from months and quarters to days and weeks. This release has also provided a new-level of risk task management, introducing visibility into who is doing what, their progress, and how can we redistribute what needs to be done to get us to where want to be.
IBM OpenPages 8 – Audit overview
IBM OpenPages 8 has enabled these outcomes through the introduction of:
Simplified development and change management
- Workflow modeling using agile real time we’re full definition between business developers
- Simplified new workflow development without IT intervention
- Zero configuration in the addition of new tasks
- Visual definition of BPM style workflow; purpose-built engine for risk and compliance
Mission-control task management
- Activity-level detail and focus
- “Mission control” bird’s eye view for orchestration and balancing workflow
- Homepage presenting tasks and timelines (what is due, linked to task)
- Oversight dashboard and redistribution of workload
The new IBM OpenPages 8 contributes to extending participation in risk management through improving the first LOD risk activity experience, and elevating risk system orchestration and management. These advancements in OpenPages 8 contribute to large organizations becoming more agile and efficient in managing their GRC systems. For smaller organizations, OpenPages 8 offers them access to “big GRC” functionality and control in a manageable package.