General Motors (GM) relied on four separate systems to support its Audit, Risk and Control activities, which made it difficult to gain a real-time view of and understand relationships between risks, controls and issues across the company.
By unifying its Audit, Risk and Control landscape with the IBM OpenPages with Watson platform, GM is gaining deeper insight into strategic, audit, operational and financial risks and controls.
Enables rapid analyticswith a single source of truth for Audit, Risk and Control data
Increases consistencyby standardizing process, risk, control and issue structures and hierarchies
Decreases costsfor licensing and maintenance by consolidating four systems to one
Business challenge story
Improving Audit, Risk and Control management
Natural disasters, cyberattacks, changes in industry regulations, supply chain disruption and product recalls — these are just a small sample of the catalog of risks that can negatively impact an automotive company’s reputation, and affect its bottom line. To avoid or mitigate these risks, car manufacturers must constantly monitor potential threats to their businesses, and continuously evolve their Audit, Risk, and Control activities as new challenges arise.
As one of the world’s largest global automotive companies, GM invests time and resources into identifying, mitigating and monitoring risk. Angela Hoon, Executive Director, Strategic Risk Management at GM explains: “The focus on risk starts at the top of the organization: Mary Barra is our CEO and Chief Risk Officer and in 2014 established a risk committee of the board. The goal is to improve governance, focus and transparency of risk management to a Board level.”
GM found that the existing systems and processes used by its Audit, Operational Risk Management, Sarbanes-Oxley Compliance (SOX) and Strategic Risk Management teams were acting as silos, making it difficult to inventory, track and monitor risks, controls and issue resolution across functions and analyze the broader implications.
“We were using four different systems to document and monitor risk, control and audit information,” says Hoon. “As a result, we struggled to get a holistic view of the potential risks GM faced and the inventory of controls in place. It was also difficult to see how a risk in one area of the business might impact another division.”
Each department had its own unique workflows and a different set of technical challenges. For instance, the SOX team was using a highly customized system that was complex to manage, the Audit team was on a system that was reaching end-of-life and the Operational Risk Management team needed a powerful survey function to support its regular risk and control assessments.
Hoon says: “We started a project to standardize and evolve our risk management activities across all four teams. The aim was to achieve faster and more detailed insight into the risks posed to our business in real time, as well as reducing cost and complexity by consolidating and streamlining our systems and processes.”
Shifting gears with powerful GRC technology
To manage risk more effectively and efficiently across its global operations, GM decided to consolidate its Audit, Risk and Control processes and procedures using the OpenPages with Watson platform.
In a previous role as Principal Consultant for the Risk Consulting practice of one of the Big Four accounting firms, Angela Hoon had gained a deep knowledge of governance, risk and compliance (GRC) solutions from many different vendors. Commenting on GM’s choice of OpenPages software, she explains: “OpenPages is a flexible GRC solution, and that versatility made it an excellent fit with GM’s complex requirements for audit, risk, and control functionality.”
The OpenPages software was available as part of GM’s Enterprise License Agreement with IBM, which removed any concerns about software licensing costs.
“The main concern for the business was the cost of implementation,” says Hoon. “We did some proof-of-concept projects to show how easy it would be to build the kind of system we needed. Also, at GM our approach is to implement and manage all our technology in-house, so it was critical to get our IT team on board.”
GM adopted an agile-like approach to implementing the OpenPages solution. After the initial planning phase, the GM IT department was trained to lead the implementation, with support from IBM for technical aspects as needed. Next, they began implementing the OpenPages software as a shared platform that the Audit, Risk and Control groups could use to share data.
Robert Simkow, Project Manager for the OpenPages implementation, reflects: “Utilizing the agile-like approach, starting with near out-of-the-box pilot environments allowed our groups to better develop and refine their business requirements and configuration needs as they could better understand how the system would look, feel and perform. I truly believe this approach has led to better decisions and less rework, at a decreased cost and implementation timeline.”
This sharing of data has been critical to the project’s success. Ina Cheatem, Manager, Professional Practices, Audit Services at GM, reflects on the collaboration throughout the project: “By bringing all of our stakeholders together to think about how we could improve risk management and assurance on controls across the board, OpenPages has helped us strengthen support and cooperation between departments. We have standardized our process inventory and agreed on a common view of our company’s organizational structure — which is a real achievement in itself.”
Previously, the Audit, Risk and Control departments had a slightly different way of interpreting the company structure and processes. Now, each department shares a common understanding, making it easier to investigate risks that affect multiple departments. As GM continues to roll out the solution, the company hopes to unify its practices and procedures even further.
Brian Gomolski, Project Manager for the OpenPages implementation at GM, adds: “The phased approach by department has helped us to move onto the IBM solution rapidly. With IBM OpenPages it is relatively easy to set up a basic implementation with minor customizations. This meant that we could introduce users to the platform in gradual stages and address issues or add functionality as we went along.” At the time of this writing, GM has onboarded its Audit, Strategic Risk Management and Operational Risk Management teams onto the OpenPages platform, and is on-track to onboard its SOX team in the coming months.
Driving a more holistic GRC strategy
By using the OpenPages with Watson platform to support Audit, Risk and Control activities, GM has gained a more granular, but at the same time enterprise-wide, view of potential threats to its business — empowering the company to control and mitigate risk and prevent losses and reputational damage. And by consolidating to a single system, the teams stand to reduce their IT maintenance costs significantly.
Will Horton, Risk Analyst on the Risk Management team at GM, describes his team’s experience of moving to the OpenPages solution: “One of the great benefits of IBM OpenPages is that it enables us to keep all Audit, Risk and Control data in a central platform. In the Operational Risk Management area, we are using IBM OpenPages to build a library of all our current and historical risk management policies. Storing information in this way makes it much simpler for us to create the questionnaires which we send out to different areas of our business to determine whether a new policy is having a positive impact on our risk exposure.”
Gomolski adds: “From the Audit team’s perspective, storing all of our data in a single platform is empowering us to develop more efficient ways of working. Previously we stored information in a collection of documents and spreadsheets, which made it difficult to conduct meaningful analytics. IBM OpenPages makes executive reporting much easier, as we can capture and store data in the solution’s database and generate reports automatically.”
Once GM has onboarded the Audit, Risk and Control groups to the OpenPages platform, the manufacturer will have a much clearer view of how risks in one area of the company may impact other parts of the business.
Hoon says: “With IBM OpenPages providing a more comprehensive view of risks, controls and issues across the company, we are much better positioned to meet our strategic objectives. As well as providing a macro view of all risks that we currently face, the solution also enables us to drill down and assess the specific risks in one manufacturing process or link in our supply chain.”
Hoon concludes: “Ultimately, IBM OpenPages is enabling us to identify, monitor and mitigate risks to our business. This enables us to be more agile and make more informed decisions on risk avoidance and mitigation, so that GM can focus on what it does best: building safe, clean, innovative vehicles for customers worldwide. By providing visibility to controls, testing, and issue tracking for both SOX and Audit, IBM OpenPages brings greater transparency and assurance as to controls effectiveness and gaps needed to be closed.”
Headquartered in Detroit, GM is one of the world’s leading manufacturers of automobiles. It designs, manufactures and markets a complete range of vehicles, from electric cars to heavy trucks, to meet the needs of drivers around the world. The company employs 180,000 people across five continents and builds vehicles under eight distinctive automotive brands: Chevrolet, Buick, GMC, Cadillac, Holden, Baojun, Wuling and Jiefang.
Take the next step
To learn more about the IBM solution(s) featured in this story, please contact your IBM representative or IBM Business Partner, or visit the following website:
IBM is working with organizations across industries to use IBM Cloud™, cognitive, big data, RegTech and blockchain technology to address their business challenges on a more real-time basis. IBM RegTech solutions merge the cognitive capabilities of IBM Watson® and the expertise of Promontory Financial Group to help risk and compliance professionals make better informed decisions to manage risk and compliance processes. These processes range from regulatory change management to specific compliance processes, such as anti-money laundering, know your customer, conduct surveillance and stress testing.