Accelerate Business Performance with Risk-Aware Decisions

The subject of GRC is very new, but all industries are discussing it. GRC will become one of the most important subjects in the next decade.

We are happy to say our compliance to incident reporting and tracking in the new software is now at 96%, previously in the first edition, it was 4%. Our  action tracking today is at 89% and previously it was I think 17%.

Before we had manual duplicated workflows but now it's automated and efficient. Before we had siloed GRC data- compliance has one set of data, risk has one, audit has one, BCP has one. Now it's a single GRC data repository with clear ownership of each data elements and strong data governance. Before risk was seen as the work of the risk function now risk is everyone's business.

Our first line is no longer coming to us to fill requests on an ad hoc basis. We are not having to drop everything to pull reports out of MetricStream for them. They can go straight into the Tableau server, pull the report they need and they are good to go.

Embarking on a GRC program was really about delivering value and making sure we are not spending resources unnecessarily. We also wanted to enable the different lines of defense to deliver on their individual accountability.

In terms of benefits of implementation, we've achieved everything we set out to. We have a single source of the truth. The GRC platform is seen by the CRO as the place where all of the risk and control data and loss event data in Nationwide is mastered. It is the central record, the only record that we use to report to the regulator.

Dealing with risks is a part of everyone's day to day job. All of our employees at Salesforce are Risk Rangers and it takes all of us playing our part to effectively manage the risks that we face.

Another aspect is the qualitative and quantitative risk assessment increasing the visibility of risk and the end to end accountability of the risk owner in the first line of defense. The basis is to build up a trust partnership with the first line of defense, maturing skills and levels of the staff. The impact is to have a stronger risk culture because in risk mitigation it is important to be prepared.

We have started to aggregate risk data across the various risk taxonomies and risk types i.e. if an individual of our company or a client is showing up in more than 1 risk silo, it probably warrants an in depth review. This is obviously a much more complex system but the first results we are seeing of this holistic monitoring are quite promising. We have completely revised the controls framework for our key risk areas such as AML, Know Your Customer.

We have now started to see commonality between different organization unit's risk assessment. We are starting to see maturities in how we are identifying issues in that process. We also have action plans for the next quarter and so forth.

Using risk information during the time of the crisis is vital. So if anything the spotlight on MetricStream and the data within it and our ability to adapt that information has been huge. We are using the current environment as a lever to make sure we are keeping information up to date.

One of the highlights of our GRC implementation is the successful use of the survey module as a global first level assurance activity. In the last 6 months alone, we've completed close to 10,000 first line assurance verification. This is supporting our control testing and eventually helping us to demonstrate the effectiveness of our controls.