About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Transforming business governance, risk management and compliance (GRC) with an AI-powered platform
Internal IBM business units
End-of-life stovepipe GRC applications that don’t support IBM’s new vision and modern processes
At IBM, the Security and Compliance Enablement team within the Chief Information Officer (CIO) organization delivers enterprise governance, risk and compliance (GRC) solutions. As part of the work and support offered, the team manages applications used by the following business units:
Both units had custom developed solutions that were running on a generic platform that was nearing end-of-life status. As part of the CIO organization’s standard application lifecycle management and requirements gathering process, the Security and Compliance Enablement team not only evaluated new platforms and technologies but also considered changes in the business and GRC industry. This led the team to reimagine GRC processes and explore new opportunities. These include employing a GRC-specific platform, democratizing the data for integration with other tools and greater business use, leveraging automation to increase user productivity and the ability to incorporate generative artificial intelligence (gen AI) that would support IBM’s AI-first strategy and deliver a solution for tomorrow’s GRC workforce. |
Implementing a unified GRC platform for a holistic business GRC mission with modern standards and processes
In cooperation with internal customers and stakeholders, the CIO organization chose to implement a new holistic business GRC solution based on IBM® OpenPages®. OpenPages was the best fit, considering the many factors to evaluate. These included individual business processes, technical requirements, user needs, diverse types of internal audit engagements, process workflows supported by the teams involved and the opportunity to align to a business model and industry standards.
Solution requirements included the ability to build and customize complex workflows according to business rules. Additionally, a low-code and flexible alternative was needed to be able to change those business rules easily without engaging developers. It was also essential for the team to have a user-friendly interface to format reports, which is something OpenPages offers by being integrated with IBM Cognos® Analytics and the option to generate reports in portable document format (PDF).
Simplified risk management and regulatory compliance
Bringing CA&AS and Finance Business Controls onto a common GRC platform helps IBM gain a more complete view of its controls, assurance and overall risk posture by granting visibility at the business unit level. The OpenPages solution provides users with awareness of audits in progress and offers a holistic view of their results.
Over 700 users access the GRC platform, globally. These users include business controls professionals, auditors and their leadership teams, as well as business units’ representatives participating in the internal audits. The chief audit executives are not necessarily users, but they get the official audit reports that are generated for the IBM audit committee.
Next steps
The CIO organization’s Security and Compliance Enablement team is currently working on expanding the overall transformation strategy by integrating business controls, corporate assurance, risk management, corporate security and business continuity. This is a long-term endeavor intended to build an enterprise-level GRC platform that looks at different dimensions to identify threats, validate that controls are in place and determine the corporate response strategy.
The GRC platform roadmap also contemplates integration with IBM watsonx™. AI and automation are a great fit for the work products that are generated. The current solution has considerable natural language text and summarization capabilities.
Lessons learned
- Establish a continuous integration and continuous delivery (CI/CD) pipeline.
- Identify business units and auditable business entities in-scope and define how to measure their controls and assurance.
- Use consistent risk taxonomy and terminology across business units to establish standards for enterprise data.
- Standardize the document formatting options available to users.
About The Chief Information Office (CIO) organization
The Chief Information Office (CIO) organization leads IBM’s internal IT strategy and is responsible for delivering, securing, modernizing and supporting the IT solutions that IBM employees, clients and partners use to do their jobs every day. The CIO organization’s strategy encompasses creating an adaptive IT platform that makes IT tools, applications and systems easier to access across the enterprise, accelerates problem-solving and serves as an innovation engine for IBM, catalyzing business growth.
Legal
© Copyright IBM Corporation 2024. IBM, the IBM logo, OpenPages, Cognos, and IBM watsonx are trademarks or registered trademarks of IBM Corp., in the U.S. and/or other countries. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
Client examples are presented as illustrations of how those clients have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.