cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How the European Investment Bank transformed its GRC system

How the European Investment Bank transformed its GRC system.jpg
9474
0

Objective: transform the system of governance, risks and compliance

 

In 2015, EIB launched a project to completely transform its internal control system. The project aimed at better integrating the dimensions of governance, risks and compliance (GRC). It was done in the context of internal EIB senior management demand, regulatory requirement intensification and institution's partners demand – namely, the European Commission, for which EIB group manages and administers a certain number of mandates. The administration of these mandates on behalf of the European Commission requires EIB to justify an effective and efficient use of European funds and manage the risks and controls associated with the execution of these processes.

The main objective of the transformation project was to deploy an integrated approach to document all the institution's processes. This was achieved thanks to MEGA’s HOPEX platform that enables all information linked to risk and control to be analyzed and referenced, as well as supports all types of operational risks. The goal was also to provide senior management and the audit committee with a precise reporting to meet ever higher expectations.

Before implementing MEGA's solution, EIB had developed an internal tool that could no longer meet its numerous needs. This tool was replaced by MEGA’s new solution resulting in the ability to:

·       Obtain traceability of maintenance and supervision actions. The analysis and audit trail provide a global view of maintenance actions in order to improve the processes related to the supervision of internal control and risk analysis.

·       Benefit from a long-term optimization vision and governance data workflows. This information makes it possible to implement a long-lasting and stable system over time, in order to develop new initiatives or integrate future regulatory elements, without having to reconsider the entire architecture in place.

 

Choosing a complete IT solution that aligns with business outcomes

 

EIB selected MEGA’s HOPEX platform to support their GRC system transformation project on the basis of three main criteria: ability to comply with EIB procedures, its performance, and its competitiveness.

In fact, EIB group applies a very standardized protocol for the selection of its service providers, which is based on European directives for procurement procedures. These require seamless transparency in the competition process between different providers. In addition, this request for vendor proposals provided a very precise functional scope to the candidate companies. This scope is the result of a requirement analysis and a market research carried out with the support of an independent consultant.

MEGA met the technical and financial criteria required by the institution. As the internal control team was not composed of IT professionals - but of operational experts in control, audit, and project management - the performance of the functional dimensions proposed by MEGA was decisive in the final selection.

Ensure efficient risk management.jpg

 

Implementation of the transformation project in six steps

 

Launched in 2017, the project, which will soon be in its implementation phase, has taken place in the following six stages.

1.      Identification of the project sponsors

When moving from an "in house" approach to a more sophisticated one such as MEGA's methodology, it is important to gain buy-in to the project from internal sponsors. This allows them to have input at all stages of the project and ensures alignment with all stakeholders.

2.      Support of senior management

It is also essential to obtain the support of senior management as it allows the interests of all the layers concerned within the institution to converge. This also minimizes the operational impact that the deployment of this new application generates for the teams.

3.      Definition of reporting objectives

The entire strategy for implementing the solution is focused on reporting objectives. MEGA makes it possible to meet all the methodological criteria, the audit trail requirements, and the definition of the level of information required according to the needs. This step facilitates arbitrage, priority definition and operational decision-making.

4.      Definition of an agile architecture

For key transactions, MEGA has enabled EIB to define an agile architecture that support any variable inputs, namely risks, controls, and results of analyzes and controls. This allows the architecture to evolve according to changing needs.

5.      Definition of protocols for entering information related to risks and controls

This step of defining and standardizing protocols for capturing risks is very important to ensure consistency of the various descriptions. And above all, to ensure a consistent level of granularity of information.

6.      Anticipation of ambitions and future developments

Defining a clear vision of the first level of performance to be achieved is essential, as is forecasting the future ambitions and potential evolutions of the solution in the years to come. EIB group wishes to manage its GRC system as a constantly evolving project that is flexible and can change with EIB’s varying future requirements.

 

The key success factors of the transformation project

 

The project to transform the GRC system initiated by the EIB is already showing the best practices that have been applied, which has resulted in positive benefits and outcomes.

The first good practice was to use a gradual deployment approach to master the information, the input protocol, the application, and the reporting features. This made it possible to avoid a multiplication of requirements and interpretation of expectations.

Many discussions were held around limiting personalization. Indeed, EIB has decided to adapt its approach to the MEGA architecture and not the other way around. This allows EIB to be more agile, and greatly facilitates the transformation project.

The institution was also able to benefit from the support of senior management. This is an essential point, especially for the preliminary phases of the project, because it allows contributors to connect and avoids confining the project to a single silo and function.

Another reason this project succeeded was because it had clearly defined goals and reasonable ambitions. When setting up the tool, EIB clearly assessed what was to be implemented in the short and medium term in terms of transformation. This made it possible to precisely define the scope of the needed changes.

EIB has also clearly outlined its reporting objectives. Since this is the goal of its transformation project, defining reporting goals guides all their architectural requirements. The internal control department will be assessed by senior management and the institution's partners according to these objectives.

And finally, EIB precisely defined the different user roles. This approach constitutes a project on its own for EIB, which will be addressed in more details in the next phase. It will limit the data modification rights in the application and will require a more thorough analysis of the information entered.

9474
0
Comment

Objective: transform the system of governance, risks and compliance

 

In 2015, EIB launched a project to completely transform its internal control system. The project aimed at better integrating the dimensions of governance, risks and compliance (GRC). It was done in the context of internal EIB senior management demand, regulatory requirement intensification and institution's partners demand – namely, the European Commission, for which EIB group manages and administers a certain number of mandates. The administration of these mandates on behalf of the European Commission requires EIB to justify an effective and efficient use of European funds and manage the risks and controls associated with the execution of these processes.

The main objective of the transformation project was to deploy an integrated approach to document all the institution's processes. This was achieved thanks to MEGA’s HOPEX platform that enables all information linked to risk and control to be analyzed and referenced, as well as supports all types of operational risks. The goal was also to provide senior management and the audit committee with a precise reporting to meet ever higher expectations.

Before implementing MEGA's solution, EIB had developed an internal tool that could no longer meet its numerous needs. This tool was replaced by MEGA’s new solution resulting in the ability to:

·       Obtain traceability of maintenance and supervision actions. The analysis and audit trail provide a global view of maintenance actions in order to improve the processes related to the supervision of internal control and risk analysis.

·       Benefit from a long-term optimization vision and governance data workflows. This information makes it possible to implement a long-lasting and stable system over time, in order to develop new initiatives or integrate future regulatory elements, without having to reconsider the entire architecture in place.

 

Choosing a complete IT solution that aligns with business outcomes

 

EIB selected MEGA’s HOPEX platform to support their GRC system transformation project on the basis of three main criteria: ability to comply with EIB procedures, its performance, and its competitiveness.

In fact, EIB group applies a very standardized protocol for the selection of its service providers, which is based on European directives for procurement procedures. These require seamless transparency in the competition process between different providers. In addition, this request for vendor proposals provided a very precise functional scope to the candidate companies. This scope is the result of a requirement analysis and a market research carried out with the support of an independent consultant.

MEGA met the technical and financial criteria required by the institution. As the internal control team was not composed of IT professionals - but of operational experts in control, audit, and project management - the performance of the functional dimensions proposed by MEGA was decisive in the final selection.

Ensure efficient risk management.jpg

 

Implementation of the transformation project in six steps

 

Launched in 2017, the project, which will soon be in its implementation phase, has taken place in the following six stages.

1.      Identification of the project sponsors

When moving from an "in house" approach to a more sophisticated one such as MEGA's methodology, it is important to gain buy-in to the project from internal sponsors. This allows them to have input at all stages of the project and ensures alignment with all stakeholders.

2.      Support of senior management

It is also essential to obtain the support of senior management as it allows the interests of all the layers concerned within the institution to converge. This also minimizes the operational impact that the deployment of this new application generates for the teams.

3.      Definition of reporting objectives

The entire strategy for implementing the solution is focused on reporting objectives. MEGA makes it possible to meet all the methodological criteria, the audit trail requirements, and the definition of the level of information required according to the needs. This step facilitates arbitrage, priority definition and operational decision-making.

4.      Definition of an agile architecture

For key transactions, MEGA has enabled EIB to define an agile architecture that support any variable inputs, namely risks, controls, and results of analyzes and controls. This allows the architecture to evolve according to changing needs.

5.      Definition of protocols for entering information related to risks and controls

This step of defining and standardizing protocols for capturing risks is very important to ensure consistency of the various descriptions. And above all, to ensure a consistent level of granularity of information.

6.      Anticipation of ambitions and future developments

Defining a clear vision of the first level of performance to be achieved is essential, as is forecasting the future ambitions and potential evolutions of the solution in the years to come. EIB group wishes to manage its GRC system as a constantly evolving project that is flexible and can change with EIB’s varying future requirements.

 

The key success factors of the transformation project

 

The project to transform the GRC system initiated by the EIB is already showing the best practices that have been applied, which has resulted in positive benefits and outcomes.

The first good practice was to use a gradual deployment approach to master the information, the input protocol, the application, and the reporting features. This made it possible to avoid a multiplication of requirements and interpretation of expectations.

Many discussions were held around limiting personalization. Indeed, EIB has decided to adapt its approach to the MEGA architecture and not the other way around. This allows EIB to be more agile, and greatly facilitates the transformation project.

The institution was also able to benefit from the support of senior management. This is an essential point, especially for the preliminary phases of the project, because it allows contributors to connect and avoids confining the project to a single silo and function.

Another reason this project succeeded was because it had clearly defined goals and reasonable ambitions. When setting up the tool, EIB clearly assessed what was to be implemented in the short and medium term in terms of transformation. This made it possible to precisely define the scope of the needed changes.

EIB has also clearly outlined its reporting objectives. Since this is the goal of its transformation project, defining reporting goals guides all their architectural requirements. The internal control department will be assessed by senior management and the institution's partners according to these objectives.

And finally, EIB precisely defined the different user roles. This approach constitutes a project on its own for EIB, which will be addressed in more details in the next phase. It will limit the data modification rights in the application and will require a more thorough analysis of the information entered.