In 2015, EIB launched a project to completely transform its internal control system. The project aimed at better integrating the dimensions of governance, risks and compliance (GRC). It was done in the context of internal EIB senior management demand, regulatory requirement intensification and institution's partners demand – namely, the European Commission, for which EIB group manages and administers a certain number of mandates. The administration of these mandates on behalf of the European Commission requires EIB to justify an effective and efficient use of European funds and manage the risks and controls associated with the execution of these processes.
The main objective of the transformation project was to deploy an integrated approach to document all the institution's processes. This was achieved thanks to MEGA’s HOPEX platform that enables all information linked to risk and control to be analyzed and referenced, as well as supports all types of operational risks. The goal was also to provide senior management and the audit committee with a precise reporting to meet ever higher expectations.
Before implementing MEGA's solution, EIB had developed an internal tool that could no longer meet its numerous needs. This tool was replaced by MEGA’s new solution resulting in the ability to:
· Obtain traceability of maintenance and supervision actions. The analysis and audit trail provide a global view of maintenance actions in order to improve the processes related to the supervision of internal control and risk analysis.
· Benefit from a long-term optimization vision and governance data workflows. This information makes it possible to implement a long-lasting and stable system over time, in order to develop new initiatives or integrate future regulatory elements, without having to reconsider the entire architecture in place.
EIB selected MEGA’s HOPEX platform to support their GRC system transformation project on the basis of three main criteria: ability to comply with EIB procedures, its performance, and its competitiveness.
In fact, EIB group applies a very standardized protocol for the selection of its service providers, which is based on European directives for procurement procedures. These require seamless transparency in the competition process between different providers. In addition, this request for vendor proposals provided a very precise functional scope to the candidate companies. This scope is the result of a requirement analysis and a market research carried out with the support of an independent consultant.
MEGA met the technical and financial criteria required by the institution. As the internal control team was not composed of IT professionals - but of operational experts in control, audit, and project management - the performance of the functional dimensions proposed by MEGA was decisive in the final selection.
Launched in 2017, the project, which will soon be in its implementation phase, has taken place in the following six stages.
When moving from an "in house" approach to a more sophisticated one such as MEGA's methodology, it is important to gain buy-in to the project from internal sponsors. This allows them to have input at all stages of the project and ensures alignment with all stakeholders.
It is also essential to obtain the support of senior management as it allows the interests of all the layers concerned within the institution to converge. This also minimizes the operational impact that the deployment of this new application generates for the teams.
The entire strategy for implementing the solution is focused on reporting objectives. MEGA makes it possible to meet all the methodological criteria, the audit trail requirements, and the definition of the level of information required according to the needs. This step facilitates arbitrage, priority definition and operational decision-making.
For key transactions, MEGA has enabled EIB to define an agile architecture that support any variable inputs, namely risks, controls, and results of analyzes and controls. This allows the architecture to evolve according to changing needs.
This step of defining and standardizing protocols for capturing risks is very important to ensure consistency of the various descriptions. And above all, to ensure a consistent level of granularity of information.
Defining a clear vision of the first level of performance to be achieved is essential, as is forecasting the future ambitions and potential evolutions of the solution in the years to come. EIB group wishes to manage its GRC system as a constantly evolving project that is flexible and can change with EIB’s varying future requirements.
The project to transform the GRC system initiated by the EIB is already showing the best practices that have been applied, which has resulted in positive benefits and outcomes.
The first good practice was to use a gradual deployment approach to master the information, the input protocol, the application, and the reporting features. This made it possible to avoid a multiplication of requirements and interpretation of expectations.
Many discussions were held around limiting personalization. Indeed, EIB has decided to adapt its approach to the MEGA architecture and not the other way around. This allows EIB to be more agile, and greatly facilitates the transformation project.
The institution was also able to benefit from the support of senior management. This is an essential point, especially for the preliminary phases of the project, because it allows contributors to connect and avoids confining the project to a single silo and function.
Another reason this project succeeded was because it had clearly defined goals and reasonable ambitions. When setting up the tool, EIB clearly assessed what was to be implemented in the short and medium term in terms of transformation. This made it possible to precisely define the scope of the needed changes.
EIB has also clearly outlined its reporting objectives. Since this is the goal of its transformation project, defining reporting goals guides all their architectural requirements. The internal control department will be assessed by senior management and the institution's partners according to these objectives.
And finally, EIB precisely defined the different user roles. This approach constitutes a project on its own for EIB, which will be addressed in more details in the next phase. It will limit the data modification rights in the application and will require a more thorough analysis of the information entered.