Home Case Studies CIO Streamlines Corporate Data Governance Transforming business governance, risk management and compliance (GRC) with an AI-powered platform
Internal IBM business units
Two people standing near windows looking at laptop
End-of-life stovepipe GRC applications that don’t support IBM’s new vision and modern processes

At IBM, the Security and Compliance Enablement team within the Chief Information Officer (CIO) organization delivers enterprise governance, risk and compliance (GRC) solutions. As part of the work and support offered, the team manages applications used by the following business units:

  • Corporate Assurance and Advisory Services (CA&AS): This unit supports audit functions that include internal audits, mergers and acquisitions (M&A), application systems control and auditability (ASCA) certifications, advisory reviews and third-party reviews of suppliers, Business Partners, security and privacy. It’s also responsible for reporting findings to the audit committee in IBM’s board of directors.

  • Finance Business Controls: This unit supports the Sarbanes-Oxley (SOX) Act compliance program, process definitions, controls and testing program, quarterly certification of management and manager assessment of controls. All the aforementioned is in support of IBM earnings announcements and the US Securities and Exchange Commission (SEC) filings.

Both units had custom developed solutions that were running on a generic platform that was nearing end-of-life status. As part of the CIO organization’s standard application lifecycle management and requirements gathering process, the Security and Compliance Enablement team not only evaluated new platforms and technologies but also considered changes in the business and GRC industry. This led the team to reimagine GRC processes and explore new opportunities. These include employing a GRC-specific platform, democratizing the data for integration with other tools and greater business use, leveraging automation to increase user productivity and the ability to incorporate generative artificial intelligence (gen AI) that would support IBM’s AI-first strategy and deliver a solution for tomorrow’s GRC workforce.

> 700 GRC platform users, globally
We thought this would be a multi-year project, requiring many developers. We completed the OpenPages MVP (Minimum Viable Product) for CA&AS in less than a year with a small team. It was a useful tool to get us up to speed fast. Fabricio Miatto CIO Security and Compliance Enablement IBM
Implementing a unified GRC platform for a holistic business GRC mission with modern standards and processes

In cooperation with internal customers and stakeholders, the CIO organization chose to implement a new holistic business GRC solution based on IBM® OpenPages®. OpenPages was the best fit, considering the many factors to evaluate. These included individual business processes, technical requirements, user needs, diverse types of internal audit engagements, process workflows supported by the teams involved and the opportunity to align to a business model and industry standards.

Solution requirements included the ability to build and customize complex workflows according to business rules. Additionally, a low-code and flexible alternative was needed to be able to change those business rules easily without engaging developers. It was also essential for the team to have a user-friendly interface to format reports, which is something OpenPages offers by being integrated with IBM Cognos® Analytics and the option to generate reports in portable document format (PDF).

Our overall transformation strategy is to integrate business controls, corporate assurance, risk management, corporate security and business continuity planning. Unifying our governance risk and compliance program on a single enterprise level platform will enable us to look at our business holistically and better manage risk in a dynamic business environment. Mike Russo Senior Manager, CIO Governance Risk & Compliance Platforms IBM
Simplified risk management and regulatory compliance

Bringing CA&AS and Finance Business Controls onto a common GRC platform helps IBM gain a more complete view of its controls, assurance and overall risk posture by granting visibility at the business unit level. The OpenPages solution provides users with awareness of audits in progress and offers a holistic view of their results.

Over 700 users access the GRC platform, globally. These users include business controls professionals, auditors and their leadership teams, as well as business units’ representatives participating in the internal audits. The chief audit executives are not necessarily users, but they get the official audit reports that are generated for the IBM audit committee.

Next steps

The CIO organization’s Security and Compliance Enablement team is currently working on expanding the overall transformation strategy by integrating business controls, corporate assurance, risk management, corporate security and business continuity. This is a long-term endeavor intended to build an enterprise-level GRC platform that looks at different dimensions to identify threats, validate that controls are in place and determine the corporate response strategy.

The GRC platform roadmap also contemplates integration with IBM watsonx™. AI and automation are a great fit for the work products that are generated. The current solution has considerable natural language text and summarization capabilities.

Lessons learned

  • Establish a continuous integration and continuous delivery (CI/CD) pipeline.
  • Identify business units and auditable business entities in-scope and define how to measure their controls and assurance.
  • Use consistent risk taxonomy and terminology across business units to establish standards for enterprise data.
  • Standardize the document formatting options available to users.
By bringing audit and business controls to a common platform, IBM will have a better assessment of its controls, assurance and overall risk posture by providing visibility at the business unit level. The solution enables users to review results of assurance activities, compliance controls and management risk assessments. This provides a holistic view for leadership assessments. Mike Russo Senior Manager, CIO Governance Risk & Compliance Platforms IBM
This logo will be placed inside of weekly Bloomberg CityLab Daily newsletters for the week of March 10 to promote the resilient cities RFP.
About The Chief Information Office (CIO) organization

The Chief Information Office (CIO) organization leads IBM’s internal IT strategy and is responsible for delivering, securing, modernizing and supporting the IT solutions that IBM employees, clients and partners use to do their jobs every day. The CIO organization’s strategy encompasses creating an adaptive IT platform that makes IT tools, applications and systems easier to access across the enterprise, accelerates problem-solving and serves as an innovation engine for IBM, catalyzing business growth.

OpenPages delivers an enterprise-grade GRC platform to support innovation

By implementing OpenPages, IBM’s CIO organization delivers a single, adaptive governance, risk and compliance (GRC) platform that streamlines the company’s corporate governance efforts and serves as an innovation engine supporting business growth.

Learn more about IBM OpenPages View more case studies

© Copyright IBM Corporation 2024. IBM, the IBM logo, OpenPages, Cognos, and IBM watsonx are trademarks or registered trademarks of IBM Corp., in the U.S. and/or other countries. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

Client examples are presented as illustrations of how those clients have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.