GRC Tuesdays: Using New Forensic Applications in GRC to Strengthen the Three Lines of Defense
Implementing the Three Lines of Defense approach, and more broadly a complete set of governance, risk and compliance (GRC) solutions, has never been more critical.
There are several reasons for this, spanning from the permanence of regulatory pressure with obligations continuously evolving and new legal requirements regularly appearing, to the emergence and spreading of risks such as fraud, threat on reputation, third-party and cyber risk, and so on.
In parallel, CFOs are concerned more than ever with the costs that go with the processes and resources in place to respond to these requirements, as reactive approaches to compliance and scattered responses to the diverse types of risks have generated silos and duplications.
Establishing a Strong, Automated Three Lines of Defense Platform
At SAP, we’ve recently commissioned research to better understand and measure these challenges and how companies are planning to solve them going forward. For example, last summer we published with Forrester Research a Technology Adoption Profile on the Three Lines of Defense.
To break silos and improve performance, more and more companies seek to re-centralise GRC information and automate GRC processes. This is also important to gain consistency—with increased efficiency and effective responses to risks and compliance needs—and improve assurance.
This often translates into opting for a Three Lines of Defense approach, supported by a robust, integrated, technological platform. This is key to allowing organizations to share critical GRC information (like info on risks, controls, and issues) and ensure that stakeholders in each line (operations, central functions, internal audit) collaborate effectively, and efficiently.
But There’s More…
The automation and integration brought by GRC technology to better monitor risk and controls has created the need to go further and check for deeper and hidden issues that might expose companies to fraud and financial losses, negative impacts on their brand and reputation, or compliance fines.
Technology innovation around Big Data capabilities, predictive analytics, and Cloud has brought opportunities to develop solutions that can:
- Tackle these less visible risks and issues
- Better predict their occurrence
- Improve even further the high level of protection already delivered by a strong, integrated three line of defense platform
In this way, they very effectively complement the risk and compliance core, providing an extra layer of protection and helping improve business integrity in key processes like finance, procurement, treasury, tax, and so on.
One of the first areas where these innovative complementary solutions have been developed is in the fight against fraud. This is a logical response given the growing concern it represents for companies in all industries, and their increased exposure to this type of risk in a more connected world and fast digitalizing economy.
In the same way, companies also develop their business network and partner with more and more third parties to grow their business (suppliers, sub-contractors, service providers) and they seek to connect and interact faster and more efficiently with their customers. All this also de-multiplies the level of their risk. Their need to screen and monitor these third parties also calls for specialised solutions to complement existing control and risk oversight processes.
Lastly, the notion of business integrity extends to the protection against any types of anomalies or issues that require deeper analytical capabilities—misuse, errors, waste, compliance misses, wrong tax postings, and so on. The need for these additional solutions that can identify and help remediate these issues is expanding rapidly in the world of live business (digitalization, networks, business velocity, and so on).
The Forensic Approach—A Useful Analogy
The requirement to chase for potential fraud, anomalies, or waste and abuse in business transactions—which many times is like looking for the needle in a haystack—can be compared to what police and specialised investigators need to do when searching for clues after a crime. They need to look deep into the information, relationships, and evidence they can find, but also rely on a level of intelligence, methodology, and experience to conduct their investigation.
Business integrity solutions developed to complement the GRC core around the Three Lines of Defense also need these capabilities:
- Analyse deep into the data
- Rely on detection rules and strategies
- Leverage predictive analytics
- Continuously improve based on earlier findings in similar patterns
And if we think about fraud as an example, patterns are elements that these solutions look for to identify potential cases, just like a forensic investigator would do.
In both cases, there is also a predictive dimension, and looking at historical data and patterns makes it easier to predict and anticipate a fraud case or other anomaly, just like police investigators learn from experience.
With this sum of similar characteristics, we could designate these fraud detection and investigation, third- party screening, compliance checking, and other anomaly scanning capabilities under a term like “forensic solutions.” As part of GRC, they powerfully help manage a set of risks and compliance needs.