Why are conventional GRC/ERM solutions blind in one eye and short ‐ sighted in the other?

66% of Financial directors in a recent survey at PwC claim that they would like to improve the relevance of their KRIs in 2017 . 

By Ariel Luedi – OXIAL Chairmain, Dorian Selz – Squirro CEO, Eric Berdeaux – OXIAL CEO, Patrick Barnett – QUMRAM CEO

The Context

Gone are the days when conventional approaches to GRC can guarantee a risk-­‐free business and full compliance. The original concept underpinning GRC was to implement effective controls for potentially risky business processes. The idea is to collect and analyse the results of these controls, on a quarterly basis, to calculate the overall risk for an enterprise. The Management team then receives a lengthy report, detailing risk relating to the last quarter, and the level of compliancy that had been achieved.

This is a report that is rarely – if ever – read completely, by anyone.

Management have no useful view of the degree to which the Enterprise is exposed to risk, leaving them blind in one eye and short-­‐sighted in the other.

This approach may have worked in a world that was operationally sluggish, where changes in the business were few, and where internal and external were limited.

The Challenges & Needs:

Today’s digital world is completely different.

  1. Regulatory and Compliance pressure is increasing. New risks and threats can develop within days, not quarters. Regulatory changes occur far more frequently, in an attempt to keep pace with the changing world. Changes in organization, such as mergers and acquisitions, are commonplace.
  2. New digital communication channels offer immense opportunities, but also pose unfamiliar threats, and require more action to ensure complianc
  3. The company “dark net” is a very real threat – this explosion of data and information, mostly unused and unstructured inside and outside the company, that can operate under the corporate radar, and are often impossible to link or keep track of, making internal fraud and malpractice difficult to detect.
  4. Organizations don’t keep up with silos processes and communications, making it impossible to link and keep track of all incidents and controls through all business

The analogy:

In order to explain a little bit, what are the needs that result from those challenges, let’s picture your company as a “city”, to understand better those challenges and needs. And ERM has the job to keep the city safe.

Traditional GRC is then like the traffic police making sure that the traffic rules are being followed. Traffic lights
are like controls to keep circulation safe. The roads are like the main business processes which are under surveillance the main duty of traditional GRC systems. Traffic violations will create alerts like failed controls or other non standard behavior. This all will end up in statistics about the traffic safety in the city or the risk report of the enterprise. However, reports are being produced monthly or quarterly. What about having a real-­‐time view on what’s going on?

Now people should be able to feel safe right? But there are risks beyond the main road which have surveillance and traffic lights. What about the little roads where there is never a policeman? What about traffic beyond the paced roads, dirt roads? People also cut
across parks, fields, sidewalks? Like in a company there are lot of things going on beyond the main business processes, less important formal process and informal process and communication. You need a system who can find new risks by connecting the dots of many seemingly unrelated data points.

A system who can discover or even predict a new risk by finding a connection between tracks in the dirt, a broken street light and a run though a red light or in the case of the enterprise a suspicious email combined with a trading behavior and a Twitter tweet plus an entry in the log of an application showing a very late login. Providing insights what’s going on in the dark where there is no surveillance! Giving you a heads up to prepare yourself against this threat!

The City, like the enterprise, is however not an island.

There is a continuous flow of traffic or in the case of an enterprise interactions with customers and suppliers across many channels. Highways, trains, by air on foot a.s.o like a bank is interacting with customers on the phone, in the branch and the digital channels like mobile, web and social increases this number even more. You need a system to enable a guided, secure and documented entry of traffic or customer interactions.

Even today you record phone conversations (for quality reasons?) and write meeting protocols if people choose to visit the branch in order to have proof what has been discussed and decided. But what about the digital channels. You need the same protection for all customer interactions via mobile apps, the web or social networks. In order to proof to the authorities that the customers were presented the correct information, have been asked the right questions and shown in the case of an investment all the risks of a specific product before the trade.

The combination of the three elements will give you a much more certainty that you are in control of your business and the risks involved. And this is the answer that Oxial – Squirro – Qumram provide together as a “new Generation ERM ecosystem”.

The Answer:

In order to truly manage Enterprise Risk in today’s digital world, the following three ERM components must be in place:

  1. MITIGATE IT: managing in a real-­‐time and agile GRC, with Oxial An easy to use GRC solution which can be implemented in weeks not months. Covering all well know areas like Risk, Control, Compliance, Audit. Key point is that the management always has a real-­‐time view of potential risks. Management needs to be made aware of new developments in order fort hem to take action. Waiting for the quarterly risk report might be deadly for your business. Operational and regulatory changes happen at an ever increasing frequency. GRC systems usually can not keep up with the level of change and they become hopelessly outdated both in terms of the business process, responsibilities and regulatory requirements. Traditional systems are not built to manage this speed of change!
  1. MONITOR IT: Connecting dots to find Fraud and new Risks, with Squirro There is a lot of data elements coming in and out that you need to collate and analyse, whether we talk structured or unstructured data. A fraudster is leaving trails all over the place… in an email, in WhatsApp, in a pdf or word document, in a log file due to his logins or trades and more. The problem is to connect these trails, these dots to a complete picture. Every company has a huge, quickly growing, repository of documents. The sheer number of documents generated each day requires an automated system to guarantee compliancy in real-­‐time. Squirro allows you to have a total control of those unstructured datasets (fetch, identify, detect, trend anomalies and risks).
  1. MANIFEST IT: recording all behavioral data across Digital, with Qumram In the past, communication with your customers, suppliers and employees were based on paper and voice. Now a dozens of digital communication channels and applications have been established (email, internet (social, ecommerce), mobile (sms, WhatsApp). The big issue is how to make sure and be able to proof it, that the enterprise is compliant in what and how they communicate with the customers as an example.a) have the correct terms and conditions been shown on the website?
    b) Did we present a warning to the customer that this particular investment product has a higher risk than others?
    c) Did the customer click on YES on the website when asked if he/she has experience with structured products?

    A solution is necessary which capture and record all these digital discussions and interactions, in context across all the different channels and applications. It allows enterprises to have evidence for regulatory compliance. In addition, it allows to analyze customer behavior and provide invaluable input to your digital marketing teams.

Three use cases:

If we take this now down to the level of actual use cases. We have worked on three main use cases so far: 

The first, cyber-­‐security, multi-­‐layer topic but for which one specific aspect has been untouched so far. That is the analysis of the unstructured inbound data. Giving you an example, “phishing emails” looking for an immediate wire transfer re-­‐using suspiciously looking email account of the CEO. This is today not covered by any code tools, because not going down to the content level of an actual conversation. Her we come to actually record what’s coming in / out, and manifest evidence, and mitigate those risks.

Second use case: internal fraud. It is all about real-­‐time compliance, the monitoring of the flow of information internally automatically, around messaging application, CRM systems, Documents and others. This is where we are able to again monitor, manifest and mitigate the risk by identifying such cases that need a more precise look at what’s happening there.

The 3rd use case is an AntiMoney Laundering element. The combination of what was explained before: detection of possible misbehavior around communication, plus the trend of anomalies detection, allows you to identify suspicious trade flows, monetary flows within your current setup way earlier than before. The important point here is that traditional GRC tools in that domain will require a pre-­‐training of prior cases; which is not the case with our ecosystem where the cognitive intelligence of our combined platform allows you to go parameter-­‐free detection of anomalies.

We could illustrate the power of this new generation ERM framework with plenty of concrete examples. We chose 6 very straightforward ones:

So now, ask yourself:

  • Do you have complete visibility and a mitigation plan for everything that is going on in your company?
  • Are you able to identify what you don’t know? Are you maybe being blind-‐sided?
  • Do you have real­‐time access, across the globe, on all your channels, for all your data whether structured or unstructured?

If you feel unsecure in one or more points here, you are not alone. Many of our clients felt they are not ready and started to engage with us. We invite you to reach out to us for deeper conversations.