Governance, Risk & Compliance (GRC) functions are facing increasingly complex risks, greater regulatory scrutiny and a more rigorous compliance environment.
Nevertheless, at KPMG we see that most organizations still have a very fragmented, silo-based approach towards GRC. This not only results in various organizational inefficiencies, but also in a lack of organizational assurance.
Other implications of this silo-based approach include: uncoordinated compliance programs and efforts, the implementation of a GRC tool before defining the proper internal control framework, risk and control systems addressing only financial reporting risks, business continuity systems focused on IT aspects only, etc.
At KPMG, we understand that this fragmented approach to GRC can be explained by the fact that organizational Target Operating Models (TOM’s) are rarely viewed from a GRC perspective. As such, the organization of GRC is often not designed to be well integrated.
Hereunder we propose our vision on how to achieve an integrated GRC Target Operating Model.
At KPMG, we believe in a pragmatic and holistic approach when it comes to GRC and have developed a generic GRC TOM based on the ‘9 Levers of Value KPMG Model’, a proven method for defining an organization’s Target Operating Model.
Our GRC TOM is built around two dimensions: the first dimension consists of three Components which cover all the GRC functions within an organization; the second dimension includes five Design Layers which need to be tailored to the risk appetite and strategy for every TOM component of the organization.
Protect and enhance business value: By fostering a risk-aware culture, supporting informed decision-making and by addressing multiple compliance and assurance layers.
Enhance operational efficiency: By rationalizing risk management, controls and assurance structures and processes, and through the smart use of IT and data management structures.
Provide a proactive and dynamic approach: By enabling organizations to quickly, consistently and efficiently respond to challenges arising from evolving risk profiles and rapidly changing regulatory requirements.
Support a linkage to strategy: By enabling companies to meet compliance objectives while improving performance using an integrated framework in support of their strategic objectives.
KPMG developed a diagnostic model consisting of 8 steps to help organizations design or refresh their GRC TOM. Firstly, we perform a profound assessment of organizations’ TOM Components with regard to the Risk & Compliance context, the strategy, and the current state. This includes:
Secondly, we design the future organization. Specifically, based on the GRC assessment (steps 1-3), we will adapt or set up every TOM Design Layer for each TOM Component. This entails the following 5 steps:
KPMG’s risks experts have extensive experience and a tested methodology to deliver solutions across the spectrum of governance, risk and compliance. We differentiate ourselves by:
Expertise. Our team of subject matter professionals have the skills and knowledge to provide implementation and support services that meet varied GRC needs across a wide range of industries.
Flexible methodology. KPMG’s GRC methodology enhances risk management programs, quality processes, regulatory- and industry-mandated compliance programs, and corporate governance initiatives, all tailored to each company’s specific needs.
Track record of success. We have effectively assisted multiple clients in implementing holistic, GRC solutions, as well as transitioning vendors with little disruption.
Tested strategy. We identify and offer tools that accelerate readiness and implementation activities for core GRC applications, and our strong relationships with many providers help to provide a cohesive experience for our clients.