Best of breed Solutions & Professional Services
During the GRC session of MEGA’s first EA & Risk Exchange virtual conference, Mr. Johnny Benavides, Head of Internal Control and Operational Risk Prevention of EIB, shared his experience within transformation of internal control.
The EIB (European Investment Bank) is an EU institution cooperating with other EU institutions to foster European integration, promote development of the EU, and regulate policies of more than 140 countries worldwide. The main purpose of the institution is to establish loans on financial markets for funding EU projects related to climate, environment, development, and innovation and includes small and medium-sized companies, infrastructures and European cohesion.
In 2015 the EIB launched a project to transform their internal control system and optimize governance, risk and compliance (GRC).
Their wish for optimization was partly due to intensified regulatory requirements and partly a demand from their internal senior management as well as their partner, the European Commission. The EIB administers a number of EC mandates and therefore needs to justify efficient use of European funds and manage risk and controls in connection with the processes.
The main objective of the transformation was to deploy an integrated approach to document processes of the institution. With the HOPEX platform of MEGA it was possible to analyse and reference all information linked to risk and control as well as accommodate all kinds of operational risks. It was also part of the goal to provide senior management and the audit committee with precise reports to meet their high expectations.
The internal tool developed by the EIB themselves did no longer meet their requirements and was therefore replaced by the MEGA solution.
HOPEX enabled the EIB to:
• Obtain traceability of maintenance and supervision actions. The analysis and audit trail provides a global view of maintenance actions that can be used for improving internal control and risk analysis processes.
• Benefit from a long-term optimization vision and governance data flows. The information enables implementation of a long-lasting and stable system over time, allowing for new initiatives to be developed and future regulatory elements to be integrated without having to rethink the entire architecture.
When transitioning from an “in house” approach to a more sophisticated one like the methodology of MEGA, it is important to get internal sponsors buy into the project. This allows them to contribute at all phases of the project and ensures alignment with all stakeholders.
It is also essential to obtain the support of senior management in order to accommodate interests of all company levels and minimize the operational impact of deployment.
The entire strategy for implementing the solution focused on reporting objectives. With MEGA it was possible to meet the criteria of methodology as well as audit trail requirements and defining the level of information. This step facilitated arbitrage, priority definition and operational decision-making.
MEGA enabled the EIB to define an agile architecture supporting all variable inputs like risks, controls, and results of analyses and controls while allowing for the architecture to evolve along the road.
It was very important to define and standardize protocols for capturing risks and assure consistency of descriptions as well as the information granularity level.
Other important steps were to define a clear vision of the first performance level to be achieved as well as future ambitions and potential evolutions of the solution as the EIB required a system that could evolve and stay flexible for future requirements.
The best practices that have been applied as part of transforming the GRC system of the EIB have already resulted in positive benefits and outcomes.
For example, by using gradual deployment to master information, input protocol, application and reporting features, a duplication of requirements and interpretation of expectations was avoided.
Limiting personalization was a hot topic of conversation. However, the EIB chose to adapt its strategy to the MEGA architecture rather than vice versa. This made them more agile and the transformation project much easier.
The institution also benefitted from support from senior management which is essential, especially in the preliminary project phases. This allowed for contributors to connect and avoided confining the project to a single silo and function.
Clearly defined goals and reasonable ambitions also contributed to a successful project. The EIB clearly assessed what should be implemented in the short and medium term of the transformation which made it possible to define the scope of changes required.
Since reporting objectives were the goal of the EIB’s transformation project they made an effort of clearly defining these. Assessment of their internal control department will be carried out by senior management and partners of the EIB according to these objectives.
Finally, the EIB defined user roles. This part constitutes a project on its own that will be addressed in the next phase. As it will limit data modification rights of the application, it requires a thorough analysis of the information entered.