Risk analysis and compliance, essential instruments of corporate governance

By 30/08/2019 October 18th, 2019 No Comments

Risk analysis and compliance, essential instruments of corporate governance, are beginning to benefit from newer technologies, which provide more visibility on what happens in the company

Brazil truck drivers’ strike, in May, compromised the whole country in terms of supply. The federal government was required to adopt new rules to logistics and fuel sectors. Such measures were extended to several production chains, which is yet another piece of evidence of the volatility and risk all companies are subject to.

This episode was also a reminder to the companies of the importance of safeguarding themselves. It is no coincidence that an increasing number of organizations have been seeking instruments to increase their ability to anticipate external events that may impact them. Such instruments are technologies that may be linked to internal processes, to prevailing laws and regulations, and to governance levels – in other words, GRC.

An acronym to governance, risk, and compliance, GRC is a method that optimizes risk assessment processes and companies’ alignment to corporate policies and sector laws and regulations. GRC emerged in the last decade to enable secure operation to organizations and to provide its managers with resources for decision-making; it is, though, getting to a new stage, in line with the so-called fourth industrial revolution. GRC 4.0 is powered by big data, artificial intelligence (AI), and machine learning, and thus is a winner in range, speed, and integration. It is no longer limited to the analysis on risks and regulatory frameworks; it aims at promoting the systematic integration of corporations.

“We understand GRC as a wide framework that is not limited to its three letters. It’s an intelligent and integrated process of information collection and management and of task performance”, explains Claudinei Elias, the managing director of Nasdaq Bwise for Latin America, a company that is a world leader in GRC solutions, connected to the famous corporate stock exchange tech Nasdaq.


Using technology is no news to GRC – many platforms are based on management software similar to the Enterprise Resource Planning (ERP). Companies, however, usually apply the precepts in a fragmented way. Each sector is in charge of conducting its own surveys. Risk detection and compliance are set aside to unrelated legal areas, barely linked to business strategies, for example. The problem is clear: the creation of assessment silos prevents a continuous flow of information, which causes duplication of efforts and conflicts between sectors, and wastes time. These obstacles affect the companies’ value, impact on their competitiveness, and may result, believe it or not, in even higher risks.

According to a research by Accenture consulting services, carried out this year, in 82 countries, 63% of the companies with sales above USD 100 million are now subject to a moment of “major disruption”. In this changing scenario, it is necessary to stand out for agility and a resilient attitude – and that’s why GRC 4.0 pays off. Incorporating several applications, it contributes to unify all processes, preventing redundancies and delay in decision-making. “The most important benefit is the organization of a unified registration system, as long as you have all your information sources correct”, confirms Khushbu Pratap, a research analyst at Gartner Group.

Big data applications combine mass information storage and high speed access. This enables companies to assemble large amounts of structured data – provided by internal processes and audits, for example – and unstructured contents, such as feedbacks from the office of the ombudsman or from social media.

The search for patterns and the preparation of predictive models based on these heterogeneous pieces of information are, then, enabled by data analytics solutions. Platforms such as SAP’s Hana and Oracle’s Exalytics are able to combine indicators from multiple sources and set patterns of errors and threats. Such tools optimize the definition of main risk information, taking into account motivating factors – among other strengths, consumer behavior, economic trends, and environmental issues.

Learning such patterns, plus the assistance of artificial intelligence and machine learning, the systems of a bank, for example, can detect and even predict frauds in real-time credit card transactions, as they are still being processed. As if it was a continuous audit. “This framework assists in understanding trends and predicting potential losses and impacts, which improves risk measurement”, says Nasdaq Bwise officer Elias.


Banking institutions are beginning to rise as the benchmarks of the new GRC phase. After all, the domestic financial segment has to deal every month with about 3 thousand publications on rules at municipal, state, and federal levels – not to mention internal regulations, filed by entities like the Brazilian Federation of Bank Associations – FEBRABAN. Altogether, this can be up to 15 thousand rules per month, taking into account the interaction with updates to the other sectors. Other than law, banks are among the segments that are the most dependent on risk strategies to estimate profit and loss margins.

In 2012, Banco Votorantim decided to modernize its GRC and adopted a Nasdaq Bwise platform. Among other resources, the solution provides data analytics technologies to automatize operational risk methods. Intersecting information has improved the understanding of the roots of the bank’s operational issues, enabling the creation of new types of procedures.

Model risk management is one of them. This method aims at validating and enhancing algorithms, statistics, and econometric functions applied to the bank’s framework of predictability. “Now we can see the benefits. Planning became more assured, as the managers can access the respective models independently and modify them if necessary”, says Vinicius Oliveira, a model validation specialist at Banco Votorantim.

This process modification applied to the institution shows the impact caused by the new GRC method on organizations’ so-called “second line of defense”. Safeguarding frameworks usually comprise four lines of defense, namely: governance, control processes, internal audit, and external audit. Not only do work optimizations in control process make audit arrangements easier, but they also provide resources to governance. “By providing the business with accurate information, technology improves decision-making and the pursuit of risk reduction”, says the Bwise executive officer.


GRC 4.0 is flexible due to its diversity of resources. This flexibility is important as the framework application must respect particularities of the segment in which the company operates and of its management maturity level. “Determining which technologies to use depends on the corporate governance model, the innovation environment, and the quality of data to make the control instruments effective”, he emphasizes

Implementing a strong GRC with a wide range of functionalities adds complexity to company adjustment. The reason is that alignment with GRC is a journey that demands time and effort, once the company needs to improve its audit and internal regulation mechanisms to calibrate technology. Despite this complexity, though, the wider the GRC scope, the more complete and decisive the information given to decision makers tends to be.

Nasdaq Bwise calls this GRC scope expansion “extended organization”. The purpose of this approach is to align the entire value chain with the company’s strategic principles, including joint ventures and third-party services. It makes sense. According to a survey Deloitte published in May, in Brazil, about 74% of managers believe that third parties will play an increasingly important role in business. The risk related to this type of services became higher as of 2014, with the promulgation of Lei Anticorrupção [Anticorruption Act], which imposes liability on the contracting party for any illegal acts performed by the third party. Since then, the process of monitoring for possible financial and reputation damages has become more vigorous.

Source: HSM Management

Leave a Reply