THOMSON REUTERS Implementation Case Study—Embracing a Common, Integrated Approach to Audit, Risk and Compliance
AGENDA • Introductions • Governance, Risk, and Compliance – Defined • Computershare Case Study • Business case to pursue integrated GRC • Defining the org structure • Common language of risk and control • Methodology • Lessons learned
Tax & Accounting Healthcare and Science Legal 12,900 Employees $3.5B in Revenue 4,500 Employees $1.1B in Revenue 4,000 Employees $0.9B in Revenue • Westlaw relied upon by 98% of the world’s major law firms • Checkpoint used by 100% of the top 100 US accounting firms • Scientific: used by over 20 million researchers • Healthcare: informing decisions affecting over 150M lives THOMSON REUTERS OVERVIEW • We are the world’s leading source of workflow solutions for businesses and professionals, with 2008 revenues of $13.4 billion • Through two divisions we serve high-end professional and business customers: Markets Division Professional Division 26,500 Employees $7.9B in Revenue • Provides financial applications for over half a million professionals globally
CURRENT STATE:SILOED ASSURANCE FUNCTIONS Major assurance functions currently operate in isolated silos Challenges Operational Risk EnterpriseRisk Financial Controls IT Governance Internal Audit Compliance • Redundant systems and processes • Poor visibility and reporting • Lack of a common language for risk and control • No common methodology
A PRAGMATIC VIEW OF GRC What GRC is Not • A discrete process, technology, or profession • Organizational department • A single technology solution • ERM • The solution to all audit, risk and compliance problems What GRC Is • A common discipline to be embraced across silos • Collaboration between departments • Purpose built solutions sharing a common framework • Context for ERM • Pursuit for improving audit, risk and compliance processes
THE FIVE POINTS OF GRC COLLABORATION Shared context: Organization and process structure Common language of risk and control Common methodology Enterprise-wide reporting GRC convergence technology
1. SHARED CONTEXT AND ORGANIZATIONAL STRUCTURE • Organizational Structure • Business unit • Legal entity • Geographic area • Country • Product line • Service line • IT assets • Process Hierarchy • Mega process • Major Process • Process • Sub-process • The context must reflect the organization and how value is added – not what is being audited: • The organization and its key components, relationships and capabilities • The business processes reflecting how value is added • All context information is shared. Everyone knows what everyone knows.
2. COMMON LANGUAGE OF RISK AND CONTROL Charles Darwin … during the 1700’s, European naturalists began collecting thousands of specimens of newly discovered species during voyages to Africa, Asia and America. This influx of new species led to the systemization of naming conventions and methodologies for reporting findings. Without standard naming conventions or scientific methodologies, scientists from different disciplines would have no way of sharing discoveries and compiling knowledge. … during the early 20th century, assurance specialists identified thousands of (SOX and other) risks, controls, issues and action plans …
3. COMMON METHODOLOGY Common methodology exists when silos share each others work and build on it • Defining, rating and reviewing the risk and control framework of an organization is consistent not only within a particular assessment group but also across groups. • Assurance groups are not duplicating • Process owners are not inappropriately burdened by multiple or even conflicting directives from the various assurance groups or their senior management.
10 ENTERPRISE WIDE REPORTING • Compare trends across the organization over time • Compare business units at a point in time • Compare one company to another • Improve ERM scores by rating agencies – lower costs • Fewer crises, more stability, higher multiples
COMPUTERSHARE CASE STUDYOUR BACKGROUND • Computershare is the leading financial market services and technology provider for the global securities industry. • We provide services and solutions to listed companies, investors, employees, exchanges and other financial institutions. • Computershare services include: • Transfer agency • Employee share • plans • Document • management • Market intelligence • Cross border listing • Depository interests • Financial markets • software
COMPUTERSHARE CASE STUDY OUR GRC FUNCTIONS Computershare currently employs the following: • ORM Profile • For the business management of the risk function in our organization • Audit Profile • For Internal Audit to evaluate the control activities in our organization • IT Governance Profile • To bridge the gap between IT and the business through Risk Assessment and Internal Audit • Compliance Profile • To leverage the Compliance function across all levels and areas of our organization
COMPUTERSHARE CASE STUDY OUR GOALS • Align external rules and regulations with our internal business process models • Measure the impact of external requirements on our day to day business processes • Identifying Compliance risks presented • Assessing internal controls in place to mitigate those risks • Report on Compliance in conjunction with Business, Risk and Audit functions
Opera-tional Risk EnterpriseRisk Financial Controls IT Governance Internal Audit Compliance COMPUTERSHARE CASE STUDY OUR GOALS • Effectively blend the Compliance function with the various business functions across the organization to create efficiencies by: • Knocking down the walls between departments and minimizing cross functional boundaries to reveal that governance-related functions touch all business areas • Encouraging business managers to realize a collective responsibility for Compliance requirements
COMPUTERSHARE CASE STUDY OUR CHALLENGES… • The Compliance function tends not to be centralized, presenting difficulties when implementing across all business areas. • Creating short term and long term efficiencies through the integration of the Compliance function • Ensuring the cohesion of the Governance, Risk and Compliance functions!
COMPUTERSHARE CASE STUDY OUR CHALLENGES… • The implementation of the Compliance module does not change ownership or accountability of relevant rules and regulations. • Communicating the applicability of Compliance requirements across the organization. • Everyone owns a piece!
COMPUTERSHARE CASE STUDY …AND OUR POTENTIAL SUCCESSES • The alignment of Compliance requirements to our business processes provides focus on the tangibility of our governance-related functions. • The central repository for all external rules and regulations promotes the collaboration of all assurance groups across the globe.
COMPUTERSHARE CASE STUDY …AND OUR POTENTIAL SUCCESSES • The addition of the Compliance profile allows us to leverage the system to create a standard language and common methodology across all regions and business functions. • The reporting tools used in the ORM and Audit profiles can be further utilized in the Compliance profile for enterprise-wide reporting.
QUESTION AND ANSWER If you have any questions, please feel free to contact: Mike Rost Paisley +1 763.450.4706 mike.rost@thomsonreuterscom Susan Panzer Computershare +1 781.575.2505 firstname.lastname@example.org