Building a GRC platform is complex, so keep it

​Having worked through the implementation of a GRC platform at a few medium to large financial institutions, I have had the opportunity to experience many different learnings.

Guest Post by David Nickles, Vice President, Business Leader – Operational Risk & Controls at MasterCard

Having worked through the implementation of a GRC platform at a few medium to large financial institutions, I have had the opportunity to experience many different learnings.

Conceptually, it sounds easy enough.

Step 1: Coordinate all groups/key stakeholders required to participate.

Step 2: Document each groups requirements.

Step 3: Once documentation exists for each groups requirements and existing data elements, align across groups.

Step 4: Alignment across groups should be simple…discuss, agree and make adjustments as necessary.

Step 5: Train people on how to use this new impeccable system that will meet your every reporting need. (***Note my sarcasm here.***)

Step 6: Ideal world is a state where all groups use the GRC platform, data quality captured in the system is of a high standard and we can easily run reporting that is consumable by the Board, Risk and Audit Committees without modification.

Let’s pause for a moment.

The implementation of a GRC strategy is a long, tedious process that only grows and enhances over time. There are some very important considerations and factors to take into account when engaging in this journey. “Journey” is as close to a perfect term as you can label an effort of this magnitude and complexity with. The effort required for building a GRC platform is often drastically understated. It is a long-term investment that will move through various phases of maturity like any project and it will require detailed planning and intermediate deliverables to produce a product that is a strong foundation allowing future growth.

Here are a few best practices in my opinion based upon my personal experiences.

Ensure you have support from senior management.
Identify and get buy-in from your required groups/key stakeholders.
Document each groups requirements from a business perspective.
Develop a data dictionary to be used by all your supporting risk and compliance functions/teams.
Relate data elements across programs by naming them the same, defining them the same and reporting on them consistently.
Ask questions like “What is my end game?” “What type of reporting will by senior management teams, committees and Board wish to see and find valuable?”
Communicate & train the organization on what GRC means and how we make it a real initiative by embedding in to our day-to-day operations

About the Author

David has over 17 years of direct experience in the first and second lines of defense with a heavy focus on Operational and Technology Risk Management. He has also supported and partnered with Internal Audit to drive strategic objectives. He has often been described as an innovative thought leader in managing organizations’ highest risk areas while implementing solutions focused on operating efficiently and effectively which benefits the overall company. He has demonstrated strong proficiency in program management, project management/delivery, people, process, systems, data governance, data integrity, data availability, data security, enterprise reporting, internal controls, compliance and quality disciplines. Companies he has worked for include Aon Hewitt, Fidelity Investments, GE Capital, BNP Paribas and Mastercard.