At a recent GRC Summit, Jacob Holmehave, Head of Group Risk Office, Nordea, and Brian F. Sorensen, Chief Execution Officer – Group Risk Change Management, Nordea, walked the audience through their GRC journey with MetricStream and their learnings along the way. Nordea is the biggest bank in the Nordic region with around 10 million customers.
Here are the key takeaways from Jacob and Brian’s session.
Jacob: Our MetricStream journey started a few years back. There have been some good successes along with some learnings.
A few years ago, we embarked on what we call IRMA, the Integrated Risk Management Application. In 2020, the European Central Bank (ECB) conducted an onsite inspection of our compliance processes, and, unfortunately, their feedback was less than favorable. This prompted us to critically assess how we were operating. It became clear that we needed to change our approach, but it also presented an opportunity to upgrade some of the underlying solutions and technical aspects. Additionally, we took the chance to review our non-financial risk processes.
The implementation of IRMA is a collaborative initiative, requiring active participation from individuals across the entire bank.
Brian: Our initial approach was heavily process-driven, as the governance was structured around established frameworks. The structures were in place, but the system remained manual, requiring data to be transferred between different processes, with each process capturing its own required information. There was little interaction or utilization across these processes.
We had over 50 operational and reporting processes, with each business area creating its own version based on a common framework. A considerable amount of time was invested in these efforts. We also had more than 10 applications—some homegrown, others customized GRC applications that, over time, became difficult to revert to standardization. This included numerous user-developed tools, such as Excel sheets. On the human side, this resulted in significant effort being expended, but the actual value was unclear.
Jacob: We had about 10 different systems spread across the bank, along with hundreds of Excel sheets, SharePoint sites, and similar tools. The goal was to consolidate all of this into one enterprise application.
We also aimed for a common, integrated data model and decided to adopt a cloud-based solution, which at that time was not something we had done at Nordea.
Additionally, we committed to an out-of-the-box solution with no customization. The concept was to reverse the usual approach—rather than having the processes dictate the system, we wanted the system to dictate the processes.
Brian: Phase-1 was focused on Simplification setting the foundation for phase two at a later stage. Our objectives were to:
We began in September 2021 with the Regulatory Directory, organizing our work areas, which resulted in managing approximately 32,000 obligations. In March 2022, we implemented RCSA, followed by Compliance, where we reassessed our approach.
Instead of rolling it out product by product, we recognized that development could be accelerated by focusing on capabilities. With RCSA in place, we leveraged the same functionality for Principal Financial Controls (PFCs), which is equivalent to SOX. We rolled this out using Operational Risk Management (ORM), applying what we had learned from risk assessment, control assessment, and control testing, and added other libraries while maintaining the same structure. This sped up the process, expanded coverage, and facilitated broader deployment.
We also rolled out Issue and Action Management across all three lines of defense. This meant that, upon going live, first-line, second-line, and audit issues were all rolled out simultaneously, along with a migration.
Benefits
We plan to do a version upgrade every year. We upgraded from Arno to Colorado, and early next year, we will upgrade to Euphrates. This annual schedule ensures we don't fall behind.
Currently, we are focused on creating a common reporting solution for non-financial risk management. We are integrating IRMA data into our Common Data Platform and building a reporting solution on top of it. This setup will allow us to pull data from various sources, creating a unified reporting unit.
You can watch the complete session here:
Find out more about what our other customers have to say: