Achieving sustainable growth and improving business conduct, through transforming the risk function, is key to operating in today’s environment.

Organisations can’t exist without accepting the risk in chasing the market opportunity. In order to attract capital investment, debt or Government funding a return, financial or otherwise, is required but at the same time, to operate within an acceptable risk appetite entities need to identify, assess, manage and monitor the risks.

Risk can be identified at a range of levels from emerging, strategic, corporate and operational across technology, cyber security and regulatory as examples. Some form of technology enabled process and system to help the board and management keep their finger on the pulse of what’s happening across the business is becoming essential.

What is GRC?

No matter how simple or sophisticated the process – an organisation has always had to have some form of its own governance, risk and compliance management. However, over the years the use of the term ‘GRC system’ has become synonymous with the technology systems/applications that a company can use to manage its governance, risks and compliance requirements – traditionally provided by various software vendors. GRC systems have been developed to allow data to be inputted from across the business with the intent that the reporting generated gives management the risk and control information they need.

Start with your people

The best GRC system in the world can’t fix a cultural problem. Senior executives need to make sure businesses have the right skills, people and corporate culture in place to effectively manage risk.

Once the culture and people are properly aligned, a fit for purpose data strategy and framework needs to be determined – then the process and technology can enable the required outcomes. Many companies have, or are moving to, cloud-based platforms and applications that are specific to different business functions such as finance or procurement, but in many cases the systems don’t speak to each other and the data format and structure is not aligned. Without the right technology, organisations can’t get the efficiencies needed in reporting and managing risk.

The three ages of GRC solutions

On premise

An on-premise licence solution is where an organisation licences, or takes licence for, an application that then is installed on the company’s servers and the backup and administration is done at the organisation’s site. In addition to the in-house business as usual costs implications, organisations then need to add the usually significant cost for configuring and implementing the application so it meets the business need.

With some of the bigger GRC systems, the starting point for this process is easily into the millions.

In an ideal world an organisation would have one source of truth for its data. With the right technology and systems this would enable the ability to analyse trends, apply machine learning and even form predictive views (based on a set of assumptions) to make better informed decisions. No business wants to learn about a significant issue in the social media.


The second option is software-as-a-service (SaaS). In this scenario the provider/vendor hosts the application on their own servers generally via the cloud or internet hosted. They provide the software and access to the client to use it on their own platforms.

This option still requires a degree of configuring and set up for each business but this can also provide benefits for some organisations. The configurability allows for organisations to make changes to the solution inline with their specific needs and requirements. This is relevant for organisations who might have specific regulatory requirements or processes they must follow.

KPMG's Powered Risk is a good example of a Software-as-a-Service approach to GRC system deployments. Powered Risk is for risk transformation, integrating our forward-looking approach to risk management with deep industry knowledge, leading cloud technology and global delivery capabilities.

Managed service – SaaS plus maintenance, upgrades and support

The next evolution is KPMG Risk Hub. Risk Hub has an added wraparound service to create a managed service across the platform, system, best practice pre-configured reporting with ongoing continuity, support and training. Of course any assistance needed outside of this service is easily and effectively available through the broader KPMG firm.

With a SaaS provider, organisations would need to spend time and incur costs related to set-up and configuring ongoing investment from an IT administration perspective. KPMG’s Risk Hub does all of this and provides best practice risk libraries and reporting for an organisation. The suite of preconfigured, best practice reporting eliminates the IT start-up costs to simply mapping the existing risk items and descriptions and framework into the preconfigured solution that KPMG Risk Hub has developed.

KPMG, in a global alliance with IBM, now offers a managed risk service – Risk Hub – a technology-enabled managed service for governance, risk and compliance. It offers a holistic view of the risks by integrating data across all levels of the business through a cloud-based technology solution that enables real-time risk management. KPMG manages a best practice GRC platform enabling in-house risk teams to focus on adding value into the business.

How can Risk Hub benefit your business?

How Risk Hub can benefit your business infographic

Key benefits of the wraparound model

1. Cost benefits, efficiency and risk reduction

The ongoing regulatory and compliance burden on all organisations is continuously increasing and it’s hard to see any future where this will decrease. At the same time, businesses need to be more efficient than ever to remain competitive.

To offset the increased regulatory and compliance burden using a data and GRC solution like KPMG Risk Hub to improve efficiencies, information flows and reduce costs. The more regulated the environment the more effective the Risk Hub solution.

2. Spot emerging trends and make strategic decisions

Organisations can make better strategic and/or tactical decisions if management can identify trends in the underlying data. Spotting trends such as increases in issues, challenges, staff complaints or control weaknesses will allow them to proactively manage their options as they have a clear view from the data and risk information of what is happening across the business.

If an organisation is having a problem, this service side of the Risk Hub means that companies can bring in the relevant expertise from KPMG to support manage the issue as opposed to involving third party providers who don’t understand the system and business issues.

3. Ensure organisation’s culture and risk appetite is consistently applied

Developing, articulating and applying a risk appetite and consistent culture across the business is one of the real challenges for business leaders and Boards. If a business is concerned that the risk appetite and culture desired may not be consistent across the organisation KPMG offers a range of ways, from simple tools, workshops and training, to support the process.

Data collection in a suitable format through a GRC solution is an important component allowing testing and analysis of how a business is tracking against key risk indicators.

Businesses need a good GRC system

Organisations need to have a data strategy and governance framework in place. Once the data strategy and governance is in place, the data integrity will improve significantly enabling the use of digital and analytical tools and reporting to become efficient and effective. The right GRC solution then allows instantly updated reporting based on approved risk inputs to the system. A key part of achieving long term sustainable growth is linking operational risk information through to the business’ strategic risk.

GRC technology will help businesses obtain insights and trends over what is happening in their business thus enabling better business decisions.