svro's picture

After several successful projects, KPMG The Netherlands introduces and supports IDS Scheer’s GRC products to support compliance projects. The best example of the success was the achievement of J-Sox compliancy of Hitachi Construction Machinery Europe (HCME). Ron Hartman, Corporate Manager Control, presented on this event that the compliancy program supported by KPMG and ARIS reduced the costs by 40% which is far over a million euro’s. In perspective, HCME achieved last year a revenue of $ 9.388.000.000. Read the Case Study with the compliance description for more details.

KPMG and IDS Scheer organized a joined Compliance event on the 15th of April for enterprises across all industries at Business University Nyenrode.

KPMG The Netherlands explained on the event their 6 phases approach of ‘Solid State Compliance’. During the presentation of KPMG’s Sr. Manager Kees van Diepen, the deliverables of every phase were demonstrated live by me in ARIS Risk & Compliance Manager and Performance Dashboard. The audience was guided from start till end with tips and practical examples.

A short overview with some highlights of the six phases:

  1. Requirements phase
    In the Requirements phase companies identify what law and regulation impact their business. For most companies that are between 5 and 20 different regulations to comply with, while a lot of the regulation is quite similar. Mostly, Excel is the key application for identifying and documenting external requirements. This works well up to 2 frameworks where for example ISO and CobiT are mapped to each other to identify similar requirements. The problem is that more than two frameworks cannot be handled anymore in excel (3 or 4 dimensions). In the ARIS repository many-to-many relations can be maintained, which is a good solution for mapping the regulations. In ARIS also the norm or requirement for the company can be derived from the regulations and translated to process controls in order to cover the regulation.

     
  2. Risk & Control Framework
    In a lot of companies every business unit has its own Risk & Control framework, resulting in multiple frameworks with no consistency. By defining it in one repository with clear ownership the efficiency of definitions, testing and reusing best practices can be realized. KPMG advised to distinguish controls in Process Integrated Controls (PIC) and Monitoring Controls (MC). The PIC’s are part of the operational processes and are tested once a year on existence (ToD = Test of Design). The MC’s are regularly (monthly e.g.) tested and cover actually the specific underlying PIC’s. This reduces the effort and costs for testing the Process Integrated Controls.
  3. Operational processes
    The Operational processes consist of a sequence of activities with Process Integrated Controls as part of it. Also information like roles (with RACI information) and supporting sytems (with CRUD information) are important to define and communicate. Transparency of ‘the way we work’ is key by the ARIS Business Publisher.

     
  4. Self assessments
    By the introduction of embedded testing (PIC’s) and continuous monitoring on MC’s the time for remediations during a financial year increases tremendously with all positive effects as result.

     
  5. Monitoring of assessments
    The ways of monitoring in ARIS are improving tremendously. In the ARIS Risk & Compliance Manager a dashboard is created where the results of risk and control assessments can be viewed by several dimensions: organization, processes, regulations and financial statements, risks and test hierarchy. Besides, the ARIS Compliance Dashboard has very sexy management views and ARIS MashZone gives the possibility for you to create easily your own Risk & Compliance Dashboard.
     
  6. Audit
    Audit simply performs a test of operating effectiveness on the Monitoring Controls (instead of all the results of Process Integrated Results). They can rely on all the information that’s maintained in the Risk & Compliance Manager. No additional reporting for Internal or External Audit is necessary. Everything (Risk, Control, Issues, etc) is covered in one single repository.

After this Compliancy presentation of KPMG and IDS Scheer the COO of ASR Insurances, Robin Pol together with Head of Organization Advice & Control Xander Salari, shared their successful experiences with the ARIS for GRC Solution. The HCME compliance case was presented by Ron Hartman and IDS Scheer GRC guru Michiel Jorna.

The Nyenrode Business University was a very inspiring environment for the 45 attending companies to evaluate afterwards the lessons learned for their own situation. And then to realize that regulation will only increase the coming years in all industries with increasing attendance of authorizations.

@Community: if you want to know more about the innovative joined solution of KPMG The Netherlands and IDS Scheer then send your comments and thoughts to this blog. The complete slide deck of the KPMG/IDS Scheer compliancy solution can then be sent to you.

Tags: ARIS