PREFACE

Pressure from regulators, external auditors, investors, and other stakeholders oblige companies to invest in GRC programs. For optimization purposes, they want to use technology levers to produce real-time compliance status reports.

Defining a sustainable GRC program requires the definition of new roles and responsibilities or the creation of new departments such as Internal Control. Therefore, the support of GRC experts combining technical and functional knowledge in addition to a certain appetence for ERPs on the market is more than recommended.

The ArtimIS team is made up of certified GRC experts and business experts (internal control, financial compliance) with proven experience in implementing internal control frameworks and controlling information systems. The seniority of the team allows us to provide high quality services. Our background allows us to offer our clients a relevant diagnosis of all processes, risks, and associated governance to help them develop an appropriate GRC strategy.

When you are interested in integrated and transversal risk management within your organization, it is important to understand the objectives and benefits of such a program.

The main objectives are:

The value and benefits are:

  • Strengthen risk awareness and collaborate around the internal control system,
  • Ensure continuous monitoring and reporting of controls on key processes

  • Improve the corporate culture around Governance Risk and Compliance topics

  • Improve market reputation by reassuring investors and third parties with whom the company collaborates

  • Prevent, detect, and reduce company-wide weaknesses & threats

  • Improve the responsiveness and efficiency of business processes to achieve its strategic objectives while optimizing ROI

  • Supporting company transformation through proactive risk management

  • Inspire and motivate its collaborators to the extent that the company conducts its activities in an ethical and appropriate way

  • Reduce the risk of human and operational error, data leakage, fraud, and compliance risks

  • Guarantee the transparency of published financial data, to ensure compliance with the various regulations

  • Guarantee the quality of “Risk” data and efficient reporting at all levels (Internal Audit / Internal Control / Operations)

  • Provide management and executive committees with real-time information to enable effective and pragmatic decision-making

ENSURING A FRAME OF REFERENCE

In order to support its clients in the implementation of a GRC program, ArtimIS generally uses a reference framework combining good risk management and internal control practices (AMF, COSO 2 & ISO 31000/2009 RM) with the specificities and the user experience of business solutions (ERP: SAP S4 HANA / Oracle or other specific applications).

Before launching into the definition and implementation of a GRC Program, it is important to define the governance, i.e. to define the organization, the sponsors, the key actors of the project, the contributors, but also to identify the processes to be covered in priority.

ArtimIS experts assist their clients in identifying the players needed for each line of defense:

First line of defense

Second line of defense

Third line of defense

Once the governance is defined (Organization, People, Processes, Applications, …) we need now to evaluate, define and implement the risk management and internal control system.

To do so, we can rely on the ISO 31000/2009 RM reference framework below:

 

————- Governance & Organization ————

————- Risk Classification & Reporting ————

————- Associated processes ————

————- Applicative Technology & GRC Platform ————

MATURITY ASSESSMENT

Risk management and compliance efforts are intended to use application technologies and GRC platforms as a lever to:

  • Optimize the internal control system,

  • improve process performance,

  • and reduce the costs associated with compliance tasks through automation of controls, among other things.

However, before you can imagine supporting your risk management and internal control system with a GRC platform, you must first consider the level of maturity of your system.

ArtimIS proposes to its prospects and clients to set to music an assessment of the maturity level in “self-assessment” mode to define the most appropriate trajectory:

Functional Grade

Maturité Description
Level 1 Ad-Hoc/risk management and internal control is not formalized and not present. The organization is content simply to position representatives in silos isolated from it. However, an annual control is ensured by external audits to detect and remedy critical risks over the following year.
Level 2 Fragmented/Risk management and internal control is decentralized and disparate. Consequently, there is a lack of communication and consolidation of information between the various departments and management. Also, activities are based on office automation tools. However, a periodic control is carried out by a so-called independent entity, the internal audit (the third line of defense) within the organization itself to cover the most critical risks in a detective manner.
Level 3 Managed/Risk management and internal control is carried out within a department (a second line of defense is created) which centralizes and coordinates all activities by relying on a network (the first line of defense).
Level 4 Integrated/Risk management and internal control is fully integrated and covers all the organization’s processes. Stakeholders, sponsors, and the organization are clearly defined, documented and lively. In addition, there is a continuous control system in place to proactively prevent risks and to measure the effectiveness of the exercise of control. The coordination of the three lines of defense is centralized but remains more focused on compliance and critical risk management.
Level 5 Agile/Risk Management and Internal Control has evolved into a framework where every employee understands and undertakes the achievement of risk management objectives. In addition, GRC activities are aligned with corporate strategy. There is a real federation of risks via a shared service center that operates in complete autonomy and whose actions are relevant and only amplify the performance of the processes.

Technological Grade

Maturity Description
Level 1 Ad-Hoc/Oral Voice
Level 2 Office Tools
Level 3 ERP-Office Tools and Data Analysis Solutions
Level 4 GRC platform integrated with ERP and other applications
Level 5 GRC platform integrated with ERPs and other applications by adding an advanced technology layer (Robots, CCM, Process Mining or ML to go

CHOOSING THE APPROPRIATE GRC TOOL

Our clients are continually seeking to improve their level of maturity and are therefore more and more questioning their options in terms of offering GRC platforms.

How to proceed, where to start?

As the tools of the GRC market are constantly evolving, we attach importance to innovation and technology watch to respond pertinently to the requirements of our clients and in an agnostic manner.

We also keep ourselves systematically informed about business and regulatory developments to offer appropriate support.

Thus, ArtimIS teams support its clients in the development of business cases to guide and refine the choice of the GRC solution

In relation to the different functionalities desired and the context of our customers, we evaluate the solutions under different Axes, here are some examples (Licensing Model & durability of the editor, Technical-functional skills on the FR and EU market*, Time vs. Cost of implementation, Functional coverage by application module, Ergonomics of the solution, Architecture & Security of the solution (Code, Access, Data, …)

In addition to the proven experience of our consultants, these studies are inspired by the best methods (PRINCE2) and research firm (Gartner / Forrester / IDC study) while being adapted to the context of our customers to offer them an agile and pragmatic choice support process.

Pourquoi ArtimIS?

Our expertise and constant technological watch enable us to support our clients daily in their risk governance and compliance objectives.

Through ArtimIS, they have improved their maturity around the risk culture in the enterprise, they become able to detect and prevent threats through reinforced lines of defense. Finally, they have the tools that best meet their needs, their processes and, of course, their organizational or budgetary constraints.

Arnott Hales, Partner at ArtimIS