Background and the requirement
Dudley Building Society (the Society) had already established a governance, risk and compliance framework though the administration and reporting was largely via a combination of spreadsheets and other mechanisms.
The general sense was that the arrangements, although largely achieving what they should, were not considered sufficiently efficient. They were not sufficiently integrated and required a large amount of manual intervention to formulate what was required by various stakeholders across the Society to achieve the desired outcome. This problem was exaggerated by version control issues as well as the general matter of completeness and therefore reliability. This in turn reduced engagement with what was trying to be achieved by the Society from a governance, risk and compliance perspective.
The Society felt it was time to move on and improve its reporting and monitoring capability through the introduction of a more sophisticated and dynamic set of tools to help in the management of governance, risk and compliance matters. However, this now created a further challenge, that of striking a balance between automation, complexity, cost and improvement.
It was at this time a new non-executive board member joined the Society and took up a role on the Audit Committee. The new board member had previously been through a similar software search process with an organisation and as a result became familiar with Insight4GRC, the RSM UK proprietary Governance, Risk and Compliance software solution. The Society approached RSM and arranged a preview.
RSM undertook an on-site demonstration of the Insight4GRC suite, including 4Risk, 4Action, 4Policies, 4Learning, 4Performance and 4Questionnaire. More information about each of these modules can be found at www.insight4grc.com
The Society immediately tuned in with the Insight4GRC suite. They particularly liked:
- Its ease of access, use and navigation.
- The flexibility, functionality and real time customisable reporting through integrated user defined dashboards enabling drill down and system interrogation.
- Task management routines and work flow management ensuring all users knew what was required of them, this helping improve and strengthen accountability.
- The secure ISO27001 hosting and development environment that RSM provide.
- Availability of the Insight4GRC support desk, access and participation in user forums allowing the Society to learn from others, as well as share their own experiences and influence insight4GRC future developments.
- User MOT to highlight how organisations can get more from Insight4GRC.
- Access to standard system developments at no additional cost.
- Ability to directly speak with the Insight4GRC national deployment and implementation team as they required, including the Partner responsible. This team are all risk and governance management practitioners and are able to share their experiences of design, development and implementation of governance, risk and compliance arrangements from various sectors, making them very solution focussed.
- The fact that RSM also had a national team of controls and assurance experts providing a second line of defence, compliance and internal audit services in the building society sector. The potential for harnessing their expertise coupled with the use of the governance, risk and compliance technology, in the form of Insight4GRC all from a single provider, within a national profession advisory firm created a clear differentiator from other providers. The society needed to feel comfortable and assured that the building society sector was important to RSM. That this could be the basis of strong collaborative business relationship.
Although RSM UK had over 35 FCA registered business’ within their 200 plus user organisations already that used one, some, or all of the modules from the Insight4GRC suite, the Society liked the fact that they were able to constructively influence design based on their user experiences and requirements, therefore were confident that Insight4GRC would grow with them as a user.
What we did
The Insight4GRC suite deployment is relatively straightforward to deploy and extremely flexible from a structuring perspective. It is accessed through a web browser and the modules can all be set up to reflect an organisation's governance, risk and control or compliance arrangements via the system administration function, so there is no need for on-going reliance on RSM UK for continued involvement.
Dudley Building Society wanted to implement all modules within Insight4GRC. To achieve this a project team was assembled including both Society Staff and the RSM implementation team and a project plan was agreed. This is RSM’s standard approach during implementation. In this case the Society decided that 14 days of implementation support would be required from RSM to achieve implementation of all modules. Post-implementation, the Society moves into a client care phase which continues through to the end of the three year licence. Client care involves regular client dialogue, on-site meetings and ad-hoc support to ensure that all organisations that use any of the Insight4GRC suite modules continue to get the best value from the software. This also provides a mechanism by which RSM can determine future product development requirements.
The following paragraphs outline some of the particular circumstances relevant to each Insight4GRC module implemented at the Society - including 4risk, 4action, 4policies, 4performance and 4questionnaires.
Dudley were recording strategic and functional risks in spreadsheet-based risk workbooks. Although each function could maintain their own set of risk records this created a number of administrative inefficiencies. The first was keeping track of which risks had been updated and which had not. This therefore relied on a lot of time being spent by the risk manager communicating with functional heads to establish what had been done and when. The second came once all the risk workbooks were updated, and reported on changes in risk and the progress of risk actions that needed to be reported. This required a lot of manual churn.
By introducing 4risk the Society has been able to cut down the administrative time through automating reminders to staff to review risks, controls, assurances and actions. Monitoring and reporting is significantly enhanced through on screen real-time bespoke dashboards which flag up activities underway and progress of updates, all of which can be reviewed by the risk manager.
Now all the risks are in one risk database, they can be easily filtered to produce specific information required by all stakeholders. The flexibility of 4risk’s report builder allows tailored report templates to be produced for the Board, the Committees of the Board, the Management Team and Heads of Department.
The Society have recently reported that the 4risk module has significantly improved its ability to focus first, second and third lines of assurance as well as report on outcomes of this assurance work.
The Society utilise 4action to track all committee actions and internal audit actions. Actions are allocated to staff with email notifications providing reminders of impending and overdue deadlines.
Progress on the implementation of actions is tracked by the executive management team each week using the real-time Insight4GRC dashboard including looking at actions implemented, actions due within the next 30 days and actions overdue - all of which can be interrogated via on-screen click through. The 'burn down' graphical report is particularly popular, enabling monitoring of the action population or groups of actions by implementation priority and timeframe, helping ensure that resources are deployed to high priorities.
To streamline and provide up-to-date reporting, the online dashboards that track action progress are also used at each committee as opposed to sending out hard copy reports which are often history by the time the committee meet.
As a regulated business, the Society had a need to demonstrate that staff have read and understood key policies. Previously, policies were accessible through the organisation's Intranet but there was no record of employees having read, understood and accepted the policies. A passive approach which is often adopted by many organisations, though largely unreliable as a mechanism for ensuring that staff know what is expected of them and the boundaries within which they should work to alleviate unnecessary risk exposure.
By introducing 4policies the Society have been able to communicate policies to employees and contractors including (where applicable), completion of a test to ensure understanding.
The Society is now able to monitor in real-time whether there are any individuals or functions within the business where employees have not read and accepted all relevant policies and therefore may present potential for a non-compliance risk. The use of 4polices also enables new starters or contractors to review and accept policies prior to commencement - which means on day one the new starter is already familiar with the Society's expectations.
The Society are now using 4policies as a portal through which they communicate and give access to key documents and updates to groups of staff and stakeholders, recognising the power of the audit trail evidence that 4policies can provide.
The Society were tracking progress and performance of their corporate plan using an excel spreadsheet which would be updated by one individual. The corporate plan outlined key objectives for achievement over the course of the year, it would be updated quarterly where a level of completion (per cent) would be entered against each objective. Updating the tracker was quite time consuming as it would need to be updated on a central drive (that would get locked when one individual was updating it). The corporate plan was setup on 4performance allowing each objective to have:
- Specific start dates.
- Profiled completion targets for each quarter (i.e. 25 per cent, 50 per cent, etc).
- Allocated owners responsible for updating.
- Allow for capture of a percentage of completion each quarter that could then be RAG rated against the profiled target.
- Allow for detailed commentary and evidence to be attached when providing an update on measures.
- As performance against each objective is updated, the 4performance dashboard updates in real-time to provide a visual on whether an objectives performance is on target. Objective owners are reminded by email when they need to provide their quarterly update and can access the tool at any time to do this.
- The interactive nature of 4performance, like all of the Insight4GRC suite allows on-line interrogation of graphs and information reports via a click through and drill down.
This is a flexible 'enabling' tool within the Insight4GRC suite helping organisations gather information that may be required, either to help populate Insight4GRC or otherwise - i.e. an internal control questionnaire. RSM make this available to users of the complete set of modules in the full Insight4GRC suite. The Society uses the 4questionnaire tool to carry out a number of surveys and assessments, this includes their annual employee engagement survey and employee training needs assessments. The Society has also seen the opportunity to move away from word processor templates and use 4questionnaire to introduce online forms for whistleblowing.
Insight4GRC has provided the Society with a number of benefits and advantages.
General administration of what were previously cumbersome methods has been made more efficient. In fact, time and effort has shifted from gathering and chasing inputs to a review of outputs and outcomes achieved.
Reporting and monitoring is now more timely, accurate and reliable - enabling increased constructive challenge and decision making. Moreover, it is real-time with what are often quite complex reporting requirements being addressed at the touch of a button.
There is improved engagement by stakeholders in the governance, risk and compliance framework that the Society is operating, as well as strengthened accountability.
There is a sense at all levels within the Society that the management of risk is more embedded, which allows easier escalation to Board. All three lines of defence can actively monitor assurance provided and drill down into evidence within the Insight4GRC system via remote access or in a live environment using dashboard click throughs, making for a more dynamic discussion over controls and assurances.
There is a more systematic approach to updating of assurances and increased challenge over the level of assurance provided across the Society, in particular first line of defence. This in turn is helping better focus second and third lines of defence. The Insight4GRC suite now enabling a greater visibility across the Society of the management of risk in its entirety.
The Society enjoys the on-going access and dialogue with the RSM team as part of the on-going client care commitment that RSM UK makes to all Insight4GRC users, allowing for ideas to be exchanged to help further the future development of the suite.
Peter Beddows, Director of Finance, at Dudley Building Society said:
'We have been delighted with the benefits that the Insight4GRC system has provided to Dudley and have thoroughly enjoyed working with the RSM team in its implementation. We have used all 6 modules, but let me comment on 2 in particular:-
'Firstly 4Risk. Interestingly, one of the original attractions of the 4Risk component of the system was that it automated manual and spreadsheet processes but provided output that was instantly familiar to our people: however, the system has since then enabled us to develop what we do and how we do it way beyond our original capability and familiarity.
'Second, the 4Policies module has been used very extensively to complement our governance approaches and provides a highly automated and systematic way of ensuring awareness and understanding of our policies, as well as ensuring they are kept up to date.
'These 2 examples typify the ways in which we have been able to implement and leverage the system and – in our case – integrate it with other back office systems to provide a connected suite across all of our Risk and Governance needs.
'I would be very happy to recommend Insight4GRC to fellow Societies and other institutions, as well as offer site visits if anyone who wishes to talk to our users about any aspect of the system and its potential application to their Society.'