Governance, risk, and compliance programs are crucial to any organization’s success — and occasionally, their survival. But taking a GRC program from square one to a fully-matured, well-oiled machine is no easy feat.
That’s the situation United Community Banks, Inc. (UCB) was in. To help identify opportunities for improving their GRC operations, they turned to LogicGate’s GRC Maturity Workshop.
The GRC Maturity Workshop was created to help our customers highlight the current strengths of their program, bring awareness to opportunities for growth, and develop an actionable roadmap to achieve their program goals.
Illuminating the path from developing to integrated
Objective: Understand the current state of UCB’s GRC program and set goals for improvement.
Output: Current state and ideal state scores, benchmarked against similarly-sized industry peers.
Prior to the workshop, the LogicGate workshop team asked the UCB team to take stock of their GRC program’s maturity across their core enterprise risk management, third-party risk management, and controls management use cases. Then, they compared the current state of each use case to LogicGate’s benchmark scores for similarly-sized organizations. The essential components of each program — called competencies — were scored based on five categories: strategy, process, people, technology, and metrics. Each category was weighted by importance.
The averaged results showed that each was currently below the target score, either having been minimally developed or partially developed but not widely adopted throughout the organization. Controls management emerged as the area most in need of maturing.
Based on these results, the UCB team set ideal state goals of exceeding the benchmark scores in the ERM and third-party risk management use cases and getting closer to the benchmark in controls management. This would ensure each of the processes was being communicated well, integrated into the business, and widely supported.
Understanding program maturity and risk culture
Objective: Strengthen UCB’s risk culture to ease change management associated with maturity efforts.
Output: Set of core values, aligned to company values, that inform maturity initiatives.
One of the biggest challenges any organization faces when trying to mature a GRC program is getting everyone onboard. That requires a significant and sometimes difficult change in risk culture.
To kick things off during the workshop, the LogicGate team guided the UCB team through an exercise designed to help better understand the organization’s current risk culture and determine which steps would be necessary to foster a more risk-aware culture that would streamline the change management process.
The LogicGate team offered a series of prompts centered on the overall theme of what the organization’s ideal risk culture would look like. Each workshop participant was asked to reflect on these concepts and then given the opportunity to write down one question, one concern, and one “magic wand” item — what they would wish for if they had unlimited resources and could make one thing related to the prompt happen immediately.
The responses were reviewed and common themes were drawn out of them. Some of the themes included:
- Enabling risk to be seen as a value-add.
- Developing risk subject matter expertise within the business.
- Defining a common risk framework.
- Driving tactical coordination and visibility of risk between departments.
- Keeping things simple.
- Determining clear ownership of GRC priorities.
- Empowering the business to make risk informed decisions.
The themes were distilled into a series of values, and the participants were asked to select their top three to serve as north stars for their GRC program. Here’s what they settled on:
- Keep it simple.
- Be consistent.
After the values were selected, the UCB team realized that they mapped well to the organization’s values. “Keep It Simple” and “Be Consistent” map to the bank’s values of “Caring and Trust” because the GRC team is demonstrating empathy and care for their colleagues outside of GRC by making it easier for them to engage in GRC processes, ultimately driving deeper trust between those stakeholders and the GRC team. “Collaborate” maps directly to “Team”: All of the GRC team members recognize that they can’t win together in risk management if they aren’t playing together as a unified team.
These values were kept in mind through the rest of the workshop to help guide decision making and solution development. And, the process both forced UCB’s various stakeholder departments to work closely toward a common goal and revealed that most of the participants were more aligned on where they wanted to take the organization’s GRC efforts than they had initially thought:
"It's been interesting to see how similarly we all think. I never realized how different departments all face similar problems," said LaQuan Anderson, InfoSec Analyst. "We do a regular call together but it was so helpful having a facilitator bring us together and help us think about the big picture."
Identifying and prioritizing opportunities
Objective: Examine core use cases for high-priority areas for improvement.
Output: Targeted list of focus areas with solutions developed for each. Two-year roadmap to GRC maturity success.
Armed with these insights and recommendations and a newfound sense of organizational direction, the UCB and LogicGate teams took a deep dive into each to develop a two-year roadmap for success. The roadmap focused mostly on the Enterprise Risk Management, Third-Party Risk Management, and Controls Management use cases, but also included holistic initiatives for maturing the organization’s overall GRC program.
Throughout the process, the team identified and prioritized any gaps in the three focus use cases, then developed solutions for remedying them.
Six specific solutions for program maturity rose to the top of the list and were designated as top priority initiatives:
Building an improved enterprise risk register by formally identifying enterprise-level risks and mapping them to operational risks.
Improving alignment of operational controls across audit and business stakeholders to avoid duplication.
Determining which GRC datasets should be linked to facilitate visibility and collaboration.
Improving ability to provide practical guidance to the business to promote risk as a business enabler.
Assigning specific owners of operational risks to drive action and accountability.
Creating efficient reports for executive leadership and business units.
Each initiative was assigned a baseline score and an ideal state score to track progress, then the roadmap was built out to provide a two-year timeline of all of the initiatives that would need to be undertaken to reach the team’s goals.
Obtaining executive alignment and buy-in
Objective: Brings executive leadership onboard with GRC maturity efforts.
Output: Executive readout of the workshop’s results and next steps, plus a full Final GRC Maturity Report.
No GRC maturity program will get off the ground without executive alignment and buy-in. That’s why UCB’s workshop included an Executive Readout, developed by the LogicGate team and presented to company leadership at the end of the session.
The presentation covered all of the opportunities identified and solutions developed in the workshop, and the UCB team was provided with a full Final GRC Maturity Report for anyone who wanted to dive into more detail.
A roadmap to GRC success
Now, the UCB team is using LogicGate’s Risk Cloud platform to implement the roadmap. After the initial go-live, Kara Bradley, UCB’s Director of Third-Party Risk Management, quickly rolled out the platform’s Third-Party Risk Management Solution. Kara quickly mastered the platform, and began meeting with the LogicGate team regularly to brainstorm enhancements to UCB’s implementation.
"The biggest benefit is not only the tool but the group. The LogicGate team has been very engaged. When we call, we get help," said Bradley.
LogicGate gives you an interconnected view of risk across the organization that you just can’t get from point solutions. After all, great companies are built not by avoiding risks — but by choosing the right ones.
Risk Cloud® and LogicGate Risk Cloud® are registered trademarks of LogicGate, Inc.®. All rights reserved.