Bringing Shadow IT into the fold

Originally Published in Insurance Day magazine 27th November 2016

The Need for a Holistic Approach to Governance, Risk and Compliance

As regulatory requirements become increasingly global in nature, more insurers now understand the importance of adopting a holistic approach to regulatory and governance requests. Too many insurance companies, however, are still dealing with regulation in a piecemeal fashion as opposed to looking at what is likely to be required in implementing a holistic framework.

Ask any board member from a re/insurance company what governance risk and compliance means to them and a series of wearisome acronyms soon trip off their tongue. We’ve all become far too familiar with SOX, Lloyd’s minimum standards, Solvency II, and Dodd-Frank. What about DPA, FATCA, CASL, HIPPA, COPA, FCPA, PIEDIA? The wave of regulatory acronyms is threatening to mutate into a tsunami! All this and then we have the joys of GDPR just around the corner.

While these regulations have their own requirements, they all have at least one thing in common. Most of the organisations that have implemented responses to regulatory measures have done so as a “one-off” project and then operated in a silo thereafter. There is another, better way, however, to approach and implement Governance, Risk and Compliance (GRC).

It can be done by implementing a holistic GRC framework that allows your organisation to understand both the current and future requirements, whilst deploying a capability that meets current needs in a way that is both appropriate and proportionate to the business.

GRC as an Agent for Change and Efficiency Improvements

A GRC framework is the combination of an assessment, processes, systems, reporting and auditing that when combined allows organisations to recognise similarities in national and international regulatory requirements.
A holistic GRC framework allows different regulatory requirements (e.g. capital and controls, taxation, data use and protection) to be documented, recorded, monitored, and audited under the same framework.

The benefit of the holistic approach is that it helps organisations develop their responses to regulatory requirements in a way that plans for and allows the re-use of controls, mitigations, monitoring and reporting where cross over exists.

There are positive benefits in implementing GRC inspired change in business processes. These include business process optimisation, weeding out inefficiencies that have crept in over time (or worse still have been in place since the beginning). Make sure that the team implementing the changes is cross-discipline and open to the possibility of improvement. Most people are resistant to change so it is essential to foster an open minded culture that recognises its own weaknesses.

Common Threads in a Regulatory Framework

There are common threads and areas of crossover between many of the new regulation and regulatory requirements. Practice data Protection as a Whole. The number of countries/regions implementing data protection (EU, Singapore, Canada, Australia, Philippines top name just a few) share common threads as well as a common base of the EU data protection directive.
Increase the importance of Data and Data Quality. Many regulatory requirements (SOX, FATCA, DPA, Solvency II) have an increased focus on data quality. In the case of Solvency II, the difference between good data and bad data can mean the difference between a policy being underwritten or not. With data increasingly being shared throughout the insurance value chain, the impact of bad data can be spread.
Remember to demonstrate and evidence. It is not good enough to say that something has been done, we need to demonstrate and evidence that it was done, when it was done and why it was done. This is particularly relevant in the case of capital and control regulations but is also a requirement for data protection regulation (something that is only going to get stronger with the introduction of GDPR in 2018).

The Role of the CIO in a World of Shadow IT

When it comes to developing a GRC framework, an organisation’s Chief Information Officer (CIO) is key to successful implementation. As well as implementing enterprise systems, system and data security, modern CIOs innovate solutions that improve the efficiency of the operation through automation, simplification of key processing systems, and improvements to business processes.

Shadow IT is the term given to systems, particularly spreadsheets, access databases, which are recognised as a threat to GRC. Shadow IT typically starts with the best of intentions: a department wants to do some analysis, or capture information that isn’t available in the enterprise. Very often those systems will grow, adding additional data or capabilities and become vital to the operation of the department while being used to make or support business decisions.

Ensure that your CIO is looking at ways to bring shadow IT into the fold, and that the correct controls are in place (even something as simple as critical spreadsheets being backed up often enough can get missed).

Regulation and compliance will play a major role in the change agenda for 2017 and don’t forget to include GDPR in this list. Understand the 2017 GRC change agenda, and use any projects that are being implemented in silos as an opportunity to implement a holistic framework. Now is the time to identify business process improvement opportunities.

Be innovative in your solutions but above all make use of a cross discipline group, to get the best results, and make sure that the CIO is part of this team.