Risk management and compliance efforts are intended to use application technologies and GRC platforms as a lever to:

  • Optimize the internal control system,

  • improve process performance,

  • and reduce the costs associated with compliance tasks through automation of controls, among other things.

However, before you can imagine supporting your risk management and internal control system with a GRC platform, you must first consider the level of maturity of your system.

ArtimIS proposes to its prospects and clients to set to music an assessment of the maturity level in “self-assessment” mode to define the most appropriate trajectory:

Functional Grade

Maturité Description
Level 1 Ad-Hoc/risk management and internal control is not formalized and not present. The organization is content simply to position representatives in silos isolated from it. However, an annual control is ensured by external audits to detect and remedy critical risks over the following year.
Level 2 Fragmented/Risk management and internal control is decentralized and disparate. Consequently, there is a lack of communication and consolidation of information between the various departments and management. Also, activities are based on office automation tools. However, a periodic control is carried out by a so-called independent entity, the internal audit (the third line of defense) within the organization itself to cover the most critical risks in a detective manner.
Level 3 Managed/Risk management and internal control is carried out within a department (a second line of defense is created) which centralizes and coordinates all activities by relying on a network (the first line of defense).
Level 4 Integrated/Risk management and internal control is fully integrated and covers all the organization’s processes. Stakeholders, sponsors, and the organization are clearly defined, documented and lively. In addition, there is a continuous control system in place to proactively prevent risks and to measure the effectiveness of the exercise of control. The coordination of the three lines of defense is centralized but remains more focused on compliance and critical risk management.
Level 5 Agile/Risk Management and Internal Control has evolved into a framework where every employee understands and undertakes the achievement of risk management objectives. In addition, GRC activities are aligned with corporate strategy. There is a real federation of risks via a shared service center that operates in complete autonomy and whose actions are relevant and only amplify the performance of the processes.

Technological Grade

Maturity Description
Level 1 Ad-Hoc/Oral Voice
Level 2 Office Tools
Level 3 ERP-Office Tools and Data Analysis Solutions
Level 4 GRC platform integrated with ERP and other applications
Level 5 GRC platform integrated with ERPs and other applications by adding an advanced technology layer (Robots, CCM, Process Mining or ML to go