Infusing risk and governance into digital transformation

To keep up with changing times, a 115-year-old financial services giant planned a massive $350 million, multiyear digital transformation project. The company, which provides innovative insurance and financial products to the consumer market, had several modernization goals, including a new ERP system, a data warehouse for a single source of truth, updated policy administration systems, and a new reporting platform for the actuarial and finance teams.

Two years into the planning process, to bring its ambitious strategic road map to fruition, the firm contracted RSM for project management and boots-on-the-ground implementation support. A successful launch of the first phase of this large digital transformation needed to occur in six months—no small feat.

Uncovering a critical omission: governance, risk, and compliance

As RSM began its work, an internal conversation between management and risk consulting colleagues led to questions about the financial services firm’s incorporation of risk and governance into its strategic transformation plans. RSM advisors interviewed the executive sponsor, who immediately realized that critical governance, risk, and compliance (GRC) components were missing from the overall design.

As with many digital transformation initiatives, a team of finance and IT professionals led the strategic planning and design phase before the company hired RSM. These teams gathered business requirements, but business stakeholders rarely have the necessary perspective on the controls checks that need to be built into modern technologies, as it is not their domain of expertise.

Ideally, GRC experts should have a seat at the table of all digital transformation projects to create well-thought-out controls every step of the way. If they are brought in closer to the go-live date—or worse yet, after the go-live—organizations end up with a fire drill as they realize they are missing critical privacy, compliance, audit, and other controls. These problems are compounded in highly regulated industries, like finance and insurance.

When this situation occurs, IT or the implementation partner jumps in with bolted-on solutions to fix the gaps as best as they can with emergency, stop-gap solutions that cause unexpected costs and serious delays. And when solutions aren’t conscientiously designed to be well-integrated from the get-go, these bandages become permanent additions that are expensive to maintain, lack automation and well-crafted integration, and add to the technical debt organizations are seeking to eliminate with the digital transformation.

Time for triage: Creating well-built solutions on a tight deadline

When the oversight was detected, the firm sought help from our professionals, which quickly created a triage team drawn from a deep bench of experts within finance, technology, data, and end-to-end data flow.

This team fast-tracked the requirements gathering phase and focused specifically on building controls—including Sarbanes-Oxley, operational, and security—that could be implemented within the tight, impending deadline that lay just a few months away.

The goal was to avoid the pitfalls of stopgap measures and to create solutions that were just as well-thought-out, integrated, airtight, and automated as they would have been if included in the original digital transformation design. Overall, both our management and GRC teams met the first phase deadline. When a few unforeseen gaps caused by the initial oversight in planning were discovered closer to launch, the team had 20 days prior to the first month’s close to formulate thorough solutions; they met that goal as well.

Throughout the project, RSM also educated the firm’s leadership team about these risk and governance capabilities, arming the team with the right information so that they could better inform and answer questions about the digital transformation project from the internal audit committee and external auditors.

The benefits of deep and broad experience

While this project wasn’t without its challenges, our team was equipped to leap into action to strategically fill in gaps that were missed in the client’s original planning process.  Because we have advisors with deep functional knowledge across many areas, the team could quickly come together to design, build and integrate the GRC components the firm needed for a cohesive digital transformation within an appropriate timeline. With RSM’s guidance, the company was able to shore itself against GRC risk and avoid the many technical issues that can plague companies when security and compliance functionality is added later.