Case studies

 A large financial institution was looking to transform its enterprise and operational risk management program through the rollout of a new enterprise Governance Risk and Compliance (eGRC) solution.  The organization sought to replace fragmented risk processes, inconsistent reporting and legacy tools with an integrated eGRC platform.

Risk Pro Solutions assessed the the maturity of various risk management functions and created a transition plan to help launch the implementation project.  Later, we continued to provide business integration services through detailed business requirements analysis, process improvements, operating model design, data migration analysis and change management activities.  As a result, the organization was able to successfully launch the risk management transformation initiative and accomplish stated goals of the project.

 This large government agency processes billions of dollars of payments for grants. 

Faced with challenges in its internal system controls over financial reporting, the agency's financial management division developed a multi-year plan to help improve the maturity of its financial management processes and systems.  The maturity strategy, encompassed a holistic approach including, people, processes, technology and data elements, to address inherent weaknesses in the control environment, and resolve long-standing audit issues.

A key component of enhancing financial system controls maturity was to implement a process for proactive identification and assessment of emerging items, including changes to regulations, emerging technology and other issues.  We helped implement an end-to-end process for identification and disposition of emerging items, including procedures, guidance, training and tools.  Items triaged were risk assessed for overall impact to financial reporting controls, and presented to senior management for review and approval.  Once approved for further research, these were analyzed and results presented to Financial Management Risk and Controls Working Group during monthly sessions.  The process was operationalized in 2021 and continues to run in Business--As-Usual (BAU) until today.

 Facing heightened regulatory scrutiny, the company needed to implement a comprehensive risk identification and assessment program to support its risk reporting needs. 

A phased approach was adopted considering the change implications on the business.  A top of the house risk assessment initially conducted by the enterprise risk stewards, was transitioned to the business areas in the next cycle, along with oversight and effective challenge from the Second Line.  A common risk taxonomy and universal risk scale were implemented to support the enterprise risk identification and assessment..  Risk identification activities spanned across all risk categories and  overseen the relevant risk committees.  Internal controls and other mitigating activities were identified and assessed to determine residual risk.  Risks were assessed assuming baseline operating conditions, and certain key risks and controls were re-assessed assuming conditions of stress, based on inputs provided by the company’s Scenario Analysis and Capital Modeling teams.  The results of all the assessments were aggregated, reviewed by the Risk Committees and reported o the Board.  The risk profiles were used for the company’s Comprehensive Capital Analysis Review (CCAR) process.

A U.S. government agency engaged our team to strengthen IT and security controls supporting its financial systems in preparation for A‑123 compliance reviews and the annual financial statement audit. Working directly with the Office of the CISO, we provided comprehensive remediation assistance to address self‑identified risks, audit findings, and control deficiencies across multiple systems. Our team helped create a Remediation Strategy and Plan, including standard operating procedures, tools and templates and metrics to help improve remediation efforts and drive continuous improvement of controls.  We assisted system teams develop mitigation plans, provided actionable recommendations for control remediation, ensuring alignment with federal cybersecurity and financial audit requirements, and performed verification and validation (V&V) along with risk assessments for completed remediation.  Dashboards were implemented to track remediation progress and performance, which were used to debrief the CISO, CIO and other leadership stakeholders.  As a result of these changes, the agency was able to close many long-standing audit findings and reduce year-over-year control failures.

This top global technology company required to manage compliance for their suite of cloud solutions across multiple geographies and regulatory frameworks.  To help streamline their compliance efforts, the company embarked on implementing an automated GRC solution to not only reduce manual efforts related to controls and testing across all of their technology stack, but also to enable consistent processes, reduce duplication, and improve compliance reporting and analytics.  

We helped with alignment of process, risks, and controls across different product teams, identifying and removing redundancies in control assessments  wherever possible to optimize efficiencies across the division.  A common methodology for managing control assessments was also implemented, including a common testing calendar.  The integrated control assessment methodology was implemented on its GRC solution.

Through this newly designed streamlined process, the company was able to support compliance with multiple frameworks in a sustainable manner going forward.