To keep up with changing times, a 115-year-old financial services giant planned a massive $350 million, multiyear digital transformation project. The company, which provides innovative insurance and financial products to the consumer market, had several modernization goals, including a new ERP system, a data warehouse for a single source of truth, updated policy administration systems, and a new reporting platform for the actuarial and finance teams.
Two years into the planning process, to bring its ambitious strategic road map to fruition, the firm contracted RSM for project management and boots-on-the-ground implementation support. A successful launch of the first phase of this large digital transformation needed to occur in six months—no small feat.
Uncovering a critical omission: governance, risk, and compliance
As RSM began its work, an internal conversation between management and risk consulting colleagues led to questions about the financial services firm’s incorporation of risk and governance into its strategic transformation plans. RSM advisors interviewed the executive sponsor, who immediately realized that critical governance, risk, and compliance (GRC) components were missing from the overall design.
As with many digital transformation initiatives, a team of finance and IT professionals led the strategic planning and design phase before the company hired RSM. These teams gathered business requirements, but business stakeholders rarely have the necessary perspective on the controls checks that need to be built into modern technologies, as it is not their domain of expertise.
Ideally, GRC experts should have a seat at the table of all digital transformation projects to create well-thought-out controls every step of the way. If they are brought in closer to the go-live date—or worse yet, after the go-live—organizations end up with a fire drill as they realize they are missing critical privacy, compliance, audit, and other controls. These problems are compounded in highly regulated industries, like finance and insurance.
When this situation occurs, IT or the implementation partner jumps in with bolted-on solutions to fix the gaps as best as they can with emergency, stop-gap solutions that cause unexpected costs and serious delays. And when solutions aren’t conscientiously designed to be well-integrated from the get-go, these bandages become permanent additions that are expensive to maintain, lack automation and well-crafted integration, and add to the technical debt organizations are seeking to eliminate with the digital transformation.