top of page

Case Study 1:
Strategic GRC Transformation



A well-established global business group has an entrepreneurial and democratic culture, which allowed group-wide operational risk standards to be implemented in various flavours as each business was empowered to interpret and apply them differently. Over-time the implementation of the multiple flavours of the risk standard led to various challenges which included a proliferation of technology, processes, data and reporting as:

  • The firm had multiple risk, governance and compliance technologies and  processes including various products, in-house software, and spreadsheets. The variability and reliability of processes served to undermine the credibility and significance of the risk and compliance processes.

    • The firm had multiple disparate manual processes; some processes were always expected to be manual, and some processes had become manual as the technology was no longer usable in some areas.

    • Some technology product capabilities had been heavily customised and had over time become redundant as they could not meet the needs of the business or had become unmaintainable.

  • The firm had different reporting styles, content, and frequencies within the differing business units and again at the group-level. The reporting processes required significant manual intervention throughout the firm to collect and harmonise data;  there were known quality issues with the data and other content which served to undermine credibility of the risk and compliance reporting.

  • The firm’s businesses used differing risk and control terms  which complicated and compromised discussion and communication further undermining the credibility and importance of risk and control.

This accumulative lack of credibility reduced the cultural importance and recognition of risk and control within the firm. The lack of credibility and recognition also served to undermine the relationship between the 1LOD and the 2LOD.  The firm was in a position where there was audit, regulatory and cost pressure to address the challenges; corporate re-structuring was the opportunity to enable change.


The firm recognised the need to undertake a group wide transformation, the transformation covered technology and business related GRC. The firm engaged resources from Integrated Control Framework Consulting to work on the transformation programme. Our Consultants engaged in (i)the business case creation, (ii)programme direction and execution, (iii)subject matter expertise and consultancy, (iv)process analysis and design, (v) reporting approach and definition and (vi) training and education. We managed and guided the firm through 5 key elements:

  • Establishing Buy-In – as part of the business case creation and during transformation execution there were open discussions with board members, audit committees and members of the 1st and 2nd line to communicate the ethos and nature of the transformation. The firm undertook an RFP and chose a leading eGRC technology product. The situation was not a technology problem however there was recognition that by using the technology as a product the firm had the opportunity to bring its GRC practises and processes swiftly in line with peers.

  • Establishing a Delivery Partnership and Communication Framework – the transformation executed as a series of focused delivery streams with workshops and management meetings for each. There was also a Steering Committee, Operating Committee and a Risk and Control Forum, plus supplementary general communication. The intent was to maximise the engagement with the business units in partnership with 2LOD colleagues, so the business units did not feel “done to”. The 2LOD worked through enhancing various standards documents in conjunction with the 1LOD to ensure clarity, lack of ambiguity and to foster partnership.

  • Demonstrating the Art of the Possible - the use of a credible eGRC technology product helped the various business units work together and compromise to set up unbiased group-wide processes. Following the mantra of using the product “Out of the Box”, participants were guided to focus on outcomes not on pre-conceptions of what is needed. The focus on outcome was unifying as it started to foster the common understanding and terminology. We introduced well structure taxonomies and data libraries and heightened the awareness of the general importance of data.

  • Onboard Not Roll-out – first implementation was made to the least challenging business areas to make quick wins and prove the credibility of the solution and approach; business units were onboarded when they were ready. It was observed that business areas started to enquire why they had not been onboarded sooner as the implementation progressed, the successes started to further challenge and highlight the efficacy of the business units that had not migrated.

  • Embedding and Reporting – it was recognised that the problem being solved was not a technology problem and the key to success would be the embedding and adoption. Much time was spent as part of the transformation creating training and reference materials and a digital adoption platform was implemented in parallel with the eGRC system to provide a legacy of training, information, and guidance. To verify the embedding an Integrated Control Framework Report was designed that pulled together elements across the platform; this report was for use in the Audit Committee, Executive Committee and various boards and management meetings. The report encouraged the use of the system by each business area and encouraged the proper focus on getting the data within the system correct on time.


We collaborated with the firm to deliver a significant upgrade in the firms’ risk and control processes and culture. The benefits delivered include but are not limited to the following:

  • Direct cost reductions and process efficiencies such as:

  • the decommissioning of various systems and infrastructure.

  • operational resource efficiencies within 1LOD and 2LOD, illustrated by (but not limited to) the removal of a 1LOD reporting team and significant reductions in 2LOD areas.

  • the creation of one single group wide Notifiable Event process that brought together multiple (more than 30) risk event and breach (regulatory, service and policy) business processes.

  • the transformation delivered the mechanism to establish improvements in areas such as data governance and data strategy.

  • Risk and Control cultural improvements such as:

  • improved relationship between 1LOD and 2LOD, illustrated by (but not limited to) the creation of a Risk and Control Forum.

  • the recognition of the importance of risk and control activities illustrated by (but not limited to) the 100% completion of RCSAs on time from a previous 5% timely completion rate.

  • Risk and Control Reporting improvements such as:

  • the creation and adoption of an Integrated Control Framework (ICF) report that was adopted at a group, business unit and legal entity level.

  • recognition from the executive committee of the improved quality of the ICF Reporting and the support needed to complete the journey off fully embedding and enhancing the practises into the firm’s DNA.

  • the introduction of a monthly reporting cycle that created the consistent set of data to be used by all governance forums.

The transformation was highlighted for special praise by the regulator contributing to the successful regulatory approval for the corporate re-structuring.

It is recognised that the completion of the transformation is not the end, the delivered platform and practises will be enriched and evolved over the coming years continuing to add value. The adoption of the technology product in a near to vanilla format means the firm will readily benefit from improvements in risk and control practises as well as the technology going forward.

bottom of page