Previous GRC solutions have never hit the mark. ACL’s offering brings much-needed simplification and consistency. Most importantly, people like using it.
The history of GRC (governance, risk and compliance) solutions, ACL senior product manager Tom Faraday confesses, is not a happy one. Far too many times vendors have offered products that claim to deliver the same process to all three lines of defence, yet in practice have done anything but. This is a state of affairs that enterprise governance software provider ACL wants to change.
Moreover, even when ostensibly the same product has been offered, it very often has the capacity to be highly customised by the front office control function, compliance, risk, and audit. This means every one of these key functions has been using, in essence, a different application and a different workflow.
While being able to tweak every application to the needs of each function might sound attractive, it doesn’t add to combined assurance; rather, it detracts from it. If everyone is doing something a little different to the same data model, there is, inevitably, duplication and waste.
The ACL GRC solution, which has been on offer since 2015 and is used by about 7,000 global clients of which 60% represent Fortune 500 companies, is rather different. It is a fully integrated SaaS (software as a service) application to be used across all three lines to plan, document, test, and report. It aims to avoid the silos so often created by banks when operational risk controls are implemented.
Same, simple, streamline
“What we have is different,” says Faraday. “It’s in the cloud, and there’s no extensive customisation. It uses the same core data model and the same core workflows, no matter if you’re monitoring controls in the 1LOD, or performing risk and control self-assessments, or even performing audits. It’s the same base workflow with function-specific tweaks, and the same libraries across all three lines.”
The analogy that ACL likes to use is that of the development of an airliner cockpit over the last 50 years or so. What was once a space covered by a multiplicity of dials and gauges has been replaced by one that is far less crowded and has several screens do the work of hundreds of dials. Traditional GRC tools tend to show every single risk and its subsequent assessment, but this becomes overwhelming and unmanageable. ACL aims to concentrate on only the most critical risks and assess those risks in a manner that is clear and explicable throughout the organisation.
This should lead to a far more streamlined and less wasteful risk management process. Data gathered by the 1LOD can be aggregated and viewed by the 2LOD to monitor the effectiveness thereof, and, in turn, audit can then check the same data to make sure the 2LOD is working. Each line is able to validate the other using a specific and unique series of checks – without starting from scratch.
Plug and play
The platform is also compatible with any organisational data source – an ACL hallmark. It doesn’t need existing systems to be rewritten to suit ACL’s software. Businesses can continue to work the way they always have. ACL GRC can safely and securely grab the data needed for analysis and serve information to the top levels of the organisation through real-time dashboards. This, says Faraday, is different to what any other vendor has to offer.
It’s easy to see how and why front office control functions and those that monitor the work of the 1LOD have grown up independently, each with idiosyncrasies and eccentricities. This is particularly true of large global institutions with multiple different regulators. But the end result is one of unedifying inefficiency. Most banks realise that; ACL offers a way out without buying vast and compatible new systems for the front office, compliance and audit.
Let’s talk again
There are significant corollary benefits as well. Greater unification of data and process facilitates greater collaboration among the three lines. People start talking to each other again, rather than just those in their immediate teams. Moreover, the dangers of group think are less likely.
The importance of the delivery information in a language all understand cannot be overstated. “The ACL platform sends tasks, reminders, and to-dos, and delivers shared reporting,” says Faraday. “If you have a useful report prepared by one part of the business, it is very easy for someone in a different area to access it. This also becomes very helpful the higher up the organisation you go as you achieve, often for the first time, consistent MI [management information] reporting.”
Having a uniform reporting tool also facilitates the development of a consistent and universally applied ratings system to grade the severity of risk management problems. At the moment, audit, risk, and compliance often develop their in-house ratings scales, with a subsequent lack of clarity ensuing.
Making users happy
Over the years, ACL has used as much professional experience and testimony as possible in the development of its governance solution, in a bid to make it user- friendly. What it also discovered – and this shouldn’t come as much surprise to those working on a sales and trading floor – is that the large majority of supervisors don’t really want to be focusing on the risk and control tasks that are now a mandatory part of their jobs. Without the right tools and reporting, they are even less keen to do them.
“This part is key,” concludes Faraday. “You can invest in technology and systems as much as you like, but if the MI that comes out is not easy to understand and people won’t use them, then you’re not getting any value whatsoever.”