Transcript- GRC Technology Global Perspective Listen We’re producing a series of podcasts on GRC programmes and technologies, obtaining perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets. This episode features conversation with Scott Wisniewski, a managing director and leader with Protiviti’s Software Solutions group. Scott offers his thoughts and perspectives on GRC trends in the market. Listen Kevin Hello, this is Kevin Donahue, welcoming you to a new edition of Powerful Insights. We’re producing a series of podcasts on GRC programmes and technologies, obtaining perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets. This episode features my conversation with Scott Wisniewski, a managing director and leader with Protiviti’s Software Solutions group. Scott offers his thoughts and perspectives on GRC trends in the market. Scott, thanks for joining me today. Scott Thanks for having me, Kevin. Kevin So, Scott to start things off here, what are the GRC drivers you’re seeing in the overall market right now? Scott Sure. So, I think we’re probably seeing a lot of the drivers that we’ve historically seen increasing in maturity. When I look at it, I still see a strong push around regulating the industry. So, financial services and healthcare obviously, having the regulations in them, drive a lot of GRC activity. Probably drilling down into that concept, they’re actually drilling a little bit away from it, but information security and across industry. You’re seeing a lot of organisations having to comply with laws like the GDPR and similar U.S. state laws such as the CCPA, and with NYDFS. I think, broadly speaking, information security, even if you’re not talking about regulation, it’s just a huge issue in the marketplace right now in terms of cyber security, impacting not only your core operational risk, your ability to have business continuity and protect customer data, but also having sound governance risk and compliance practices – it actually can significantly impact your ability to respond to customers. With third-party risk management programmes really maturing, you can spend a lot of time, if you don’t have a really good GRC programme, trying to figure out what are your controls, how do you respond to this, or not even being able to meet opportunities because you simply don’t have the infrastructure that’s expected. So, information security becoming not only regulatory driven but also driven by your ability to meet customer-demand needs, enter new markets and use new technologies. So, you want to start to use new technologies in some of your offerings, well, do you have your own third-party risk management programme that helps you quickly bring new technologies in for exploration, or do you have to go through a huge betting process before you can even make use of that and, before you know it, some of the opportunities that you may have had are vanishing? I think, again, information security – just a huge push in so many different ways, not just regulatory. I do think that general governance and operational risk management does remain important in the marketplace and across the marketplace, and certainly, we actually are working with several non-publicly traded organisation and are seeing that they still need to have governance and good operational risk practices. Along with that comes the need for efficiency and the build-out of accountability across large enterprises, so organisations were spending a lot of time trying to understand, for example, what their financial reporting controls look like, disclosures look like, trying to come up with efficient means auditing against that, not only with a driver to have the good governance around that, but it’s also, I think, a driver of GRC technology to make that more efficient in general for our customers. Kevin That’s a great rundown. Thanks, Scott. So, my next question is around innovation, and I would expect that innovations impacting many of these drivers you just mentioned, but what sort of innovation in GRC are you seeing in the market right now? Scott Yes, that’s a great question. I think we’re starting to see good and decent amounts of innovation emerge. I would start by saying you still see a fair amount of organisations that are probably doing too much in Microsoft Office or disconnected applications or shared drive types of activities where they’re not just leveraging what I would refer to as the table stakes for GRC. There are some table stakes in terms of getting your information into a shared and rationalised data repository or a federated set of solutions that are interconnected. You can do it both ways. Still, you see a lot of where there are multiple applications – there’s no federation, no connectivity and no synchronisation. Again, I think there’s a fair amount of organisations still trying to kind of meet those table stakes. With that said, I also see emerging capabilities and technologies that are really helping this marketplace as well, and again, for the most part, you need to have those table stakes to make use of them. Still, some of those innovations we see include the much-improved use of metrics. Historically speaking, we are talking about risk management and risk assessment. It’s been a very subjective type of review, and again, there’s still a lot of assessment activity that occurs out there that is subjective. Still, we’re seeing at Protiviti that are a much better use of metrics. We’ve even helped clients with defining indices that give them an understanding of their risk position at different times based on an amalgamation, an aggregation, of those metrics and waiting for those metrics, I think, again, sort of a movement toward the metrics space. Evaluation of various positions is certainly one of the innovations out in the marketplace. I’ll take a step back – similar to that, the metric risk evaluations, and still in the realm of risk assessment, we have a variety of our team members here at Protiviti helping clients with the FAIR model, which is definitely a more quantitative ability to assess risk and really break it down into tighter scenarios that, again, bring back that value. So, again, I think the metrics-driven, the quantitative evaluation, of risk, is really something that organisations are improving upon. I’ll move into more of the control arena here as well, a significant exercise that companies need to go through when they’re going through these risk management exercises is control validation and control testing. We are definitely starting to see the more effective use of RPA in automation or controlled validation and testing exercises. A lot of those circumstances still, the RPA solutions that are potentially automating either processes and/or controlled in this particular vernacular. They’re sometimes still landing the results in separate repositories, and we’re certainly helping clients really make sure that they’re not repeating the sins of past by putting automated results back and, again, disconnected file shares and trying to find a home for them in their governance risk and compliance applications that are actually managing those controls. I think the automation of that, reducing test time, is really an important emerging trend we see, and then sort of moving up the curve in terms of technologies. The use of machine learning, OCR technologies and natural language processing technologies – we’re seeing those being introduced. On the machine learning side, for example, you’re seeing different solutions and vendors come to the table with capabilities to do regulatory analysis and mapping based on algorithms that, again, the machines are learning and scanning for in the marketplace to understand, “Are you potentially impacted by this? If so, what are your products and services?” Again, getting smarter and reducing the level of human intervention needed to make some of those evaluations you see in a lot of organisations and, again, particularly in FSI, which is heavily regulated, the need for transactional quality-control programmes. The review of loans that have been made or calls that have been executed, and the use of OCR to translate previously unstructured documentation and to structure documentation that now the machines can run through some of that transaction analysis instead of needing humans, or, again, a machine can perform an LP to understand what’s being said and the tone of a phone call, for example, instead of having, again, human intervening, are different innovations. So, circling back on your initial question, innovation, there’s certainly a lot of innovation occurring in this marketplace. I think organisations are well served to understand that they need to get to that table-stakes level of having a well-organised documentation set in order to make use of a lot of these capabilities, but once they get there, there are definitely tools in the marketplace to help them improve efficiency. Kevin I did want to ask you next about tools in the market that are being implemented, and part of that question I’m wondering is, are these tools featuring some of the innovations you just described? Scott Again, really good question – I would say for us, first of all, is we’re looking at the different tools in the marketplace and helping organisations organise this huge effort. Our first perspective is to understand what our client already has and to leverage that. We see a lot of organisations that might have a variety of GRC platforms available already to them, and it might be just about making better use of those technologies, and then certainly, there are lots of organisations that don’t have anything, or they’re just really not satisfied at all with their existing technologies. They need to help with designing their solutions and selecting updated solutions. On that note, I think one of our goals has been to work with a variety of tools in a variety of ways with the clients. In terms of the tools we work with – and our clients are going to hear this through a variety of the people that are on this webcast internationally – so, we have Matt Landers providing some of our U.S. outlook, Nicolas Perna and Scott Bolderson talking about some of what they’re seeing in the EU. Rakesh Kabra is talking about the Middle East. Ivan Torres is talking about Latin America. Yasumi Taniguchi is talking about Japan. Again, we have a lot of different people sharing some of what we’re seeing in different places in the world and tools we’re using. What I would say is we are really, as a firm, using a variety of tools and then creating a knowledge basis for ourselves globally to help our customers using different tools, and so we’re alliance partners with AuditBoard, SAP Process Controls. We’re service partners of ServiceNow. We have many certified Archer administrators to help people with RSA Archer. We’ve worked with a variety of GRC solutions either by advisory for clients or tool selection, such as IBM OpenPages, BWise, Galvanise and, again, all of those solutions are informing our perspective on how to help customers in the marketplace. We also can help customers through our own proprietary platform. We are a little bit unique in that. We’re the only actual professional services firm that’s never been rated in some of the analyst ranking store that the actual sophistication of our own platform. So, we can deliver that to clients as a simple GRC solution and/or what we refer to as some solution accelerators to help them with a specific point challenges they’re having. One of the things we’re doing is exploring this concept, Kevin, like an 80/20 rule for large enterprises. As we look at the tools available in the marketplace, like, “Are you a true enterprise that can make use of pure out-of-the-box functionality from some of these vendors, or do you need to actually leverage 80% of out-of-the-box capabilities and configurable options?” but then they’re like at 20%, where you need custom integrations, you need custom business logic, or you need to build them that federation we discussed earlier. So, we’re also a developer of custom GRC solutions for our clients that might be so other enterprise platforms, and one, just to throw out there, just because I think that’s not a GRC platform, but I think also it’s interesting to talk about in terms of meeting the needs of these GRC spaces, is Force.com, which has incredible capabilities for enabling workflow and reporting options that a lot of the GRC programme opportunities don’t. In any case, we are an implementer of a variety of these tools, and some of the tools are building in some of those innovative capabilities that we just talked about, and perhaps more importantly, you’re seeing the need to integrate enterprise reporting solutions and enterprise workflow solutions, enterprise RPA automation solutions, and workflow solutions into these platforms so that you have these best-of-breed types of applications where those platforms do what they do best, which is document and manage assessments, etc., where some of the other programmes do what they do best in terms of actually automating business processes, automating controls or interpreting different data. So, I would say that it’s a little bit of a mixed bag on that, but then there are GRC-oriented platforms, and then there’s different tooling that we as a firm bring to there, on top of those, trying to do some of the other automation we discussed. Kevin Scott, we do hear a lot, or more and more, about organisations pursuing integrated GRC. What are some of the challenges you see organisations facing right now in that pursuit? Scott Yes. Let me circle back a little bit to that table-stakes concept we talked about. You still see multiple GRC platforms out there, which in and of itself is not a necessarily a problem. That said, you see that they’re not aligned together or there’s no connectivity between the two, and frankly, a lot of times, there’s no ability to connect them because the underlying taxonomies, data sets and methodologies are very different. On one hand, you have this promise of people converging and integrating; on another hand, you have multiple platforms and multiple methodologies that don’t necessarily connect. So, I think the misalignment of processes and frameworks, coupled with the multiple GRC platforms, is a real challenge. I do think we also see, let’s say, even within individual GRC, you see some optimised configurations or expensive customisation. Interestingly enough, I want to circle back to that 80/20 concept where we talked about leveraging the platform’s out-of-the-box capabilities and perhaps then putting some specific custom capabilities or integrations on top of that. With that said, you really do want to maintain the spirit or the design intent of these solutions versus completely going off the track with them and configuring your own solution against the design of what the vendor has intended – you have maintenance issues. You start to have some spaghetti configuration therein, and so, certainly, we see a lot of that. It’s like the old Spider-Man quote: “With great power comes great responsibility.” So, some of these configurable platforms, we have to watch out, how much you do configure them, because you can, again, get into a jumbled method there. I would say the limited enterprise risk reporting, and that has a lot to do with some of the misalignment of processes and frameworks. The solutions themselves are coming up to speed significantly on their ability to leverage enterprise point solutions, like integrations with Power BI or Tableau, as examples. So, they’re coming up to speed on their ability to report on information. Again, it’s the alignment with the taxonomy that give you the ability to actually converge that I think is a challenge. Still, I think, as much as we talked about the innovations getting to those table stakes and then incorporating those emerging digital capabilities, such as RPA in-process analytics and machine learning, I think that’s still coming into the marketplace. As we look at those challenges, we do circle back to the age-old adage of “People, process and technology.” It’s been around since I’ve been in consulting, which is a while now. That said, we still continue to see organisations pick technologies before they have actually established their business processes and then really struggle to implement the technology, maybe thinking that the out-of-the-box configurations are going to solve some of their own data issues, but they really don’t. So, I think helping clients first understand that they have the prerequisite programme element, methodology, data, reporting objectives, governance structures to make use of technology as one of the key ways that we help them make the right decisions and then implement with more confidence than they otherwise would. Kevin We hear a lot about digital transformation initiatives happening in the market right now. How do you see organisations incorporating their digital transformation practices into their GRC programmes? Scott Yes. I think digitisation definitely is the soup du jour. So, it’s important to be talking about how that applies to GRC, and just the overall design level. At the highest level of it, I do see a lot more focus on UI/UX done historically. There have been challenges with using the out-of-the-box platforms in terms of their configurability, one, but also then, even within the more configurable platforms, does that result in really a good user experience, especially for globally distributed programmes? As you think about digital transformation, one of the essential tenets of it is customer/end user engagement. I would say first and foremost, you are seeing more of a focus on that end user experience and engagement even within these heavily compliance-oriented disciplines. The other thing I think that you’re seeing, again, is other digital things. Digitising your products and your services doesn’t sound like it’s necessarily specific to GRC, but when you actually look at what organisations are often doing to do that, they’re building these micro service-oriented architectures that allow them to be more nimble in terms of how they address new products and services, new capabilities that are needed. So, I think, again, the GRC community would be wise to think of that micro service architecture in terms of how do they deliver GRC programme elements and connect them together in a way that’s not as monolithic as it once was? Better-informed decision-making, and about that huge digital transformation theme, I talked a little bit about that. I think a lot of analytics are being brought into this industry. Again, it’s a place where I really do see a lot of power of more mature platforms making use of really good digitisation techniques and making really good use of different analytics tools that their platforms can leverage. Then, last, but not least, is digital transformation – a key theme is operational performance and efficiency. We talked a little bit about that. You do start to integrate RPA into this, and you start to use machine learning to automate things and intervene in previously human interactions, you’re looking to improve your overall operational efficiency. So, those are some of the ways, I think, that this digital transformation subject that’s in the marketplace applies to GRC and where GRC professionals would be mindful to make use of some of the learnings from it. Kevin Well, this has been a great conversation. Thanks a lot, Scott. Scott Yes. Thank you, Kevin. I really appreciate your time today. Kevin Thank you for listening today. You can find more information and podcasts offering perspectives on GRC from around the world at protiviti.com/GRC.