No more apples-to-oranges

A tech solution to the “fruit salad” approach to data analysis that frees you to spend more time making decisions and less time sorting the numbers.

Melinda Mothander

Melinda Mothander

Advisory Managing Director of Governance, Risk, and Compliance Technology Services, KPMG US

+1 703-286-8669

Video transcript

Good afternoon. Fruit salad. We've all had fruit salad. After a while, all of the individual components start to blend together. This is how large organizations today are managing their enterprise level reporting. They're trying to compare apples to oranges to bananas. This leads organizations to spending so much time upfront, trying to translate between the different data components that they're spending less and less time on the backend actually performing the analysis of the data. What's the answer? You implement a governance, risk and compliance tool, a GRC tool. GRC tools connect stakeholders across organizations and help to align the risk and compliance functions. They help to streamline reporting for better risk decisions. When I say GRC, G –Governance, think policies, procedures. R–Risk, risk assessments. C–Compliance, control testing. GRC tools are the long-term solution. However, in the short term, it's really important for organizations to focus on maturing their GRC programs. Aligning their data, converging their processes, making sure that you're going to be able to achieve those integrated GRC benefits.


Data. Data is no longer an afterthought. It is a hot commodity that everybody is trying to harvest. Traditionally, organizations have been reporting on their data through vertical structures or silos. Through the use of a common language, through your GRC programs, you're able to report through a new lens, through a new dimension. You're able to report on aggregate, across the silos. Giving organizations new information to slice and dice for better reporting. GRC tools. I'm sure most of you sitting in this room have at least one GRC tool implemented within your organization. Probably have more than one implemented.


At KPMG, we look at GRC tools and we bucket them into two different categories. The first category is Enterprise Tools. The second category are Point Solutions. Enterprise tools have been around for a long time. They're the MetricStream, the Bwise, the ServiceNow, the Archers. Point solutions are the audit board or Workiva. Enterprise solutions solve for more than one business use case in one platform. For example, MetricStream is able to do a risk assessment, control testing and issue management all within the MetricStream platform. Versus a point solution that does one solution, very well.


The GRC industry is constantly changing. I'm sure in two years when the analysts put out their reports, there will be new vendors that we haven't even heard of today. Another trend in the industry is the shortening of the gap between enterprise tools and point solutions. For example, Workiva primarily was a controlled testing solution. However, recently they've rolled out an internal audit module. The line between enterprise tools and point solutions is getting blurry. The point solutions are maturing their business processes and they're able to offer new solutions to their current customers.


Historically, organizations would try to implement all of their risk and compliance functions into one of those enterprise GRC tools. Put all of their activities into one platform. But businesses today are becoming more and more complex and getting everything in one platform is becoming very difficult. Which leads me to our third industry trend. The concept of the GRC ecosystem. The GRC ecosystem is a small solution of GRC tools that all exist in a common platform. They are threaded together through the use of a common language and are connected on the backend through APIs and data lakes.


The GRC ecosystems allow organizations to truly get those integrated GRC benefits. Integrated GRC benefits. The first one is the source of truth. Making sure everybody in the organization is on the same page as to what the source of truth is for a particular data element. The next is the concept of being able to test once and utilize many. For example, within an organization if internal audit comes in to test and control and SOX is also going to come in and test that same control, SOX should be able to leverage the work that internal audit did in order to lessen the impact on the business. Implementing a GRC ecosystem also enables a greater transparency and accountability of your organization's information. And lastly, it provides you the insight for that real time reporting and the ability to make those better decisions quickly.


To be able to have the information at your fingertips and not spending time trying to go translate and understand what the data means. You have it there, consolidated right there in front of you for your decisions. Implementing technology is never easy. Most organizations as they implement their GRC tools really focus on the technology solution, where they should really be focusing on building out and maturing their GRC program. We help organizations get back on track with their GRC programs. We help to optimize and enhance and sometimes even undo some of their previous decisions that they've made around their GRC programs. I like to call ourselves, the cleanup crew. We helped to get the train back on the tracks. And it's interesting, each organization that we go into to help, they struggle with success for a variety of reasons. Not one is the same. However, when you take a step back and look at all of the different challenges that these organizations have had, they really boil down to three main reasons.


In order to have a successful GRC tool enablement, you want to be able to focus and align on the vision and strategy, convergence and foundational elements, and people in change. Vision and strategy, it seems like a check the box activity, but it's not. These GRC initiatives are very complex and they have so many different moving parts. They involve stakeholders spanning an organization and each one of those stakeholders comes to the table with their own perspective. So what's really important for the success of these technology enablements, to make sure that everybody is on the same page and understands what the ultimate overall objective and vision is. And it's also really important that there is a plan in place on how to achieve that vision and objective. We like to call the vision and strategy our North Star. We're setting that up or we help organizations set that up in order to truly be successful and to make sure that everybody is aligned.


Time and time again, organizations had been implementing these GRC tools for three plus years and they've struggled with being able to show success. And the reason is that all of the hard work that they're doing, they're spinning because they're not able to connect it to that larger overall vision and so they're not able to move the dial forward on success. The next is convergence same foundational elements. This is the single most important thing that organizations must focus on and it's the most... Most of the time, organizations completely miss it. It's about setting up that common language. It's about making sure that the different assurance functions within the organization are all talking the same way. So I mentioned earlier about having a new way to report horizontally, cutting across the silos, this is where that comes into play. Say you have an internal audit department and you have an ERM department.


They're both trying to assess issues and the severity of those issues. Internal audit is using one, two, three and the other department is using high, moderate, low. When you go to report from an aggregate perspective, it's really hard to compare a three to a low. Apples to oranges. So creating that common language helps to align how organizations are going to be managing their risk and compliance activities. It's absolutely crucial to focus on this. And most often, this gets skipped over because people jump straight into the tool.


Lastly, people and change. We could do a great job setting up a GRC tool that meets all of the business requirements, but if we don't do a good job of making sure that it's embedded into the day to day activity of the end user and then the end user understands the benefit of using the GRC tool, we should just scrap the whole implementation because nobody's going to use it. It's really important and crucial to make sure that the end user understands the benefit of the GRC tool, and to make sure that they understand how their process is going to become more efficient by using the tool.


Implementing technology is never easy. But if you approach it through a programmatic lens, focusing on the strategy and business, you'll be able to achieve those integrated GRC benefits. You'll have better data for enhanced reporting, you'll be able to compare apples to apples and oranges to oranges. One of my colleagues, Olivia, is out there doing a demo of the MetricStream technology. Please stop by, check it out and say hi. Next time I eat fruit salad, I know that I'll be thinking about GRC and I hope that you will as well. Thank you for the time.