How the European Investment Bank transformed their GRC system

Integrated GRC

Objective: To transform the system of governance, risk and compliance

During the GRC session of MEGA’s first EA & Risk Exchange virtual conference, Mr. Johnny Benavides, Head of Internal Control and Operational Risk Prevention of EIB, shared his experience within transformation of internal control.

The EIB (European Investment Bank) is an EU institution cooperating with other EU institutions to foster European integration, promote development of the EU, and regulate policies of more than 140 countries worldwide. The main purpose of the institution is to establish loans on financial markets for funding EU projects related to climate, environment, development, and innovation and includes small and medium-sized companies, infrastructures and European cohesion.

In 2015 the EIB launched a project to transform their internal control system and optimize governance, risk and compliance (GRC).

Their wish for optimization was partly due to intensified regulatory requirements and partly a demand from their internal senior management as well as their partner, the European Commission. The EIB administers a number of EC mandates and therefore needs to justify efficient use of European funds and manage risk and controls in connection with the processes.

The main objective of the transformation was to deploy an integrated approach to document processes of the institution. With the HOPEX platform of MEGA it was possible to analyse and reference all information linked to risk and control as well as accommodate all kinds of operational risks. It was also part of the goal to provide senior management and the audit committee with precise reports to meet their high expectations.

The internal tool developed by the EIB themselves did no longer meet their requirements and was therefore replaced by the MEGA solution.

HOPEX enabled the EIB to:
Obtain traceability of maintenance and supervision actions. The analysis and audit trail provides a global view of maintenance actions that can be used for improving internal control and risk analysis processes.
Benefit from a long-term optimization vision and governance data flows. The information enables implementation of a long-lasting and stable system over time, allowing for new initiatives to be developed and future regulatory elements to be integrated without having to rethink the entire architecture.

IT solution aligning with business outcomes

The EIB chose the HOPEX platform from MEGA to support their GRC transformation for three main reasons: The ability to comply with their procedures, the performance and the competitiveness.

The selection of service providers is a standardized procedure of the EIB as they need to comply with European directives for procurement requiring seamless transparency of competition and providers. Therefore, their request for quote included a very detailed scope produced by an independent consultant based on requirement analysis and market research. MEGA met the technical and financial criteria. The performance of the functional aspects offered by MEGA was essential in the final selection because the internal control team of the EIB did not consist of IT professionals, but rather operational experts in control, audit, and project management.

Implementing the transformation in 6 steps

  1. Identifying sponsors

When transitioning from an “in house” approach to a more sophisticated one like the  methodology of MEGA, it is important to get internal sponsors buy into the project. This allows them to contribute at all phases of the project and ensures alignment with all stakeholders.

  1. Support of senior management

It is also essential to obtain the support of senior management in order to accommodate interests of all company levels and minimize the operational impact of deployment.

  1. Defining reporting objectives

The entire strategy for implementing the solution focused on reporting objectives. With MEGA it was possible to meet the criteria of methodology as well as audit trail requirements and defining the level of information. This step facilitated arbitrage, priority definition and operational decision-making.

  1. Defining an agile architecture

MEGA enabled the EIB to define an agile architecture supporting all variable inputs like risks, controls, and results of analyses and controls while allowing for the architecture to evolve along the road.

  1. Defining protocols for input of information on risk and control

It was very important to define and standardize protocols for capturing risks and assure consistency of descriptions as well as the information granularity level.

  1. Anticipation of ambitions and future developments

Other important steps were to define a clear vision of the first performance level to be achieved as well as future ambitions and potential evolutions of the solution as the EIB required a system that could evolve and stay flexible for future requirements.

Key success factors of the transformation project

The best practices that have been applied as part of transforming the GRC system of the EIB have already resulted in positive benefits and outcomes.

For example, by using gradual deployment to master information, input protocol, application and reporting features, a duplication of requirements and interpretation of expectations was avoided.

Limiting personalization was a hot topic of conversation. However, the EIB chose to adapt its strategy to the MEGA architecture rather than vice versa. This made them more agile and the transformation project much easier.

The institution also benefitted from support from senior management which is essential, especially in the preliminary project phases. This allowed for contributors to connect and avoided confining the project to a single silo and function.

Clearly defined goals and reasonable ambitions also contributed to a successful project. The EIB clearly assessed what should be implemented in the short and medium term of the transformation which made it possible to define the scope of changes required.

Since reporting objectives were the goal of the EIB’s transformation project they made an effort of clearly defining these. Assessment of their internal control department will be carried out by senior management and partners of the EIB according to these objectives.

Finally, the EIB defined user roles. This part constitutes a project on its own that will be addressed in the next phase. As it will limit data modification rights of the application, it requires a thorough analysis of the information entered.