Implement GRC technology the

rightway
Prepare your organization for updated governance, risk and
compliance systems
Regulatory expectation, coupled with the increasing Ask the right questions to determine readiness for
need for risk and compliance departments to balance your GRC technology implementation.
cost and effectiveness is seeing a number of
organizations embark on governance, risk and If your company is at the beginning…
compliance (GRC) technology implementations or  Does your long-term vision include process
considering upgrading existing solutions. Careful efficiencies, integration, cost effectiveness and a
consideration of a number of factors is required for horizontal view of risk across the entire
these implementations to deliver the promised value. organization?
 Are you looking for an enterprise or a point
Organizations tend to make the same common solution?
 How mature are your business processes right
mistakes when implementing GRC technologies:
now?
At the beginning of a GRC technology implementation,  Is the GRC solution flexible enough to meet your
companies often fail to think through all the needs? Alternatively, how flexible are your
components and key activities necessary to ensure a processes to adapt to the solution’s limitations?
successful initiative. Those that forge ahead without  Can or should you go with an “out-of-the-box”
analysis and planning may find that their business solution or invest in a customized solution?
processes were not ready for automation, the new  What is driving the timeline for implementation?
technology does not work as anticipated, and timelines Is it strategy, regulatory requirements, expired
for completion cannot be met. licenses for current solutions, or frustration with
the existing system, processes, and datasets?
In fact, without proper planning, companies may not be
 What are the budget constraints? Do you know
using GRC solutions to their full potential. As a result, what it will take to implement the technology, and
technology designed to monitor and analyze GRC do you have sufficient resources to support it?
processes becomes nothing more than a repository for
documents, failing to support the comprehensive GRC If implementation is underway…
program the company intended. Meanwhile, solutions  Is there a general understanding of where you are
are often implemented in silos, and a lack of integrated headed, including timelines and key activities?
process leads to conflicting opinions and efforts  Are you unhappy with your GRC implementation?
between business units Do you believe there may be a better way to utilize
the technology?
Start (or start over) with a thorough assessment
 Are you achieving the original GRC vision and
of your organization’s readiness for a GRC objectives?
implementation or upgrade:  Can you and stakeholders from across the
Whether at the beginning of a GRC implementation, or organization clearly observe how the GRC solution
dealing with the repercussions of an undesirable result, enables business processes and add value?
organizations should conduct a business assessment to  Have you considered the communication and
outline steps to implement GRC solutions the right way, training requirements to roll-out the GRC
or to correct any issues produced by flawed solution?
implementation.

Implement GRC technology the right way 1

© 2020 KPMG Advisory (Hong Kong) Limited, a Hong Kong limited liability company and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
 Preparing for the GRC technology transformation
KPMG supports companies from the start of For companies that need to optimize their
their GRC technology implementation initiatives. GRC technology, we help with:
Using our enterprise GRC methodology, we review
the company vision, business process maturity, the — Conducting workshops to understand the GRC
drivers of the initiative, and the schedule for vision, key stakeholders, pain points and progress to
implementation. We also map available solution date.
functionality to the business processes that — Performing fit-gap analysis to determine the areas
organizations need to address. where technology can enhance efficiency a
business process, and how to improve reporting for
management decisions.
For companies that have not yet selected a
technology platform, we help with:
— Selecting the vendor who is best placed to meet
GRC deliverables and accelerators:
your specific GRC needs and requirements. GRC program implementation roadmap. A clear
path for the future is critical to the timely and
transparent execution of program activities.
For companies at the start of their GRC GRC data rationalization and data migration. Data
technology implementation, we help with: rationalization and cleaning, as well as a data
— Thinking through the main goals and objectives, migration strategy, enable a consistent and
either by reviewing documentation or facilitating repeatable process for the onboarding of all data.
workshops to understand the vision of the Testing strategy and evaluation criteria. This includes
integrated GRC program. prioritization of requirements, use cases and fit-gap
— Conducting a review of the current state of analysis to provide a link between the business
maturity of the business functions, which helps requirements and business process design.
align stakeholders across the GRC Deployment and post-production support plan.
functionalities. A successful implementation does not stop after go-
— Developing an effective implementation and live. A proactive approach to post-production support
communications plan to allow business accelerates adoption of the solution and resolution of
stakeholders and end users time to prepare. implementation issues.

— Determining all of the necessary steps to prepare People and change. An effective communication,
for the GRC technology implementation. training, and implementation adoption monitoring
ensures that the organisation gets the full benefit of the
investment.
KPMG GRC Implementation Services:
K ey benefits Strategy & Business
foundational People
Leverage KPMG’s experience design
& change
We understand the critical path to elem ents requirem ents
success having implemented GRC at User
Readiness
various organizations using different acceptance
GRC systems and solutions.
assessm ents
testing
Enable collaboration Vendor selection
Data Training &
We solicit the necessary input and &
m igration com m unications
com m unicate the right m essages im plem entation
Effectiveness
to relevant stakeholders. Project
and post-
m anagem ent
Meet regulators’ expectations im plem entation
support
We understand regulatory review
expectations and help ensure both Policies & Point solution
business and regulatory fram ework rem ediation
requirem ents are m et.

Implement GRC technology the right way 2

© 2020 KPMG Advisory (Hong Kong) Limited, a Hong Kong limited liability company and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
Technology assessment diagnostic model
KPMG has developed a diagnostic model to help With that knowledge, we craft a clear roadmap for
companies launch or refresh their GRC technology companies to follow, which includes steps for program
initiatives. strategy and design, and recommendations for roll-out,
training and communication.
To start, we help companies scope out the objectives
of the implementation and any pain points the
organization may be experiencing. We also perform
gap assessments to gain a high-level understanding of
the multiple areas of focus, looking at organization Wave 2
readiness or where solutions have been implemented
but miss the mark.

Wave 1

Continuous
Refresh GRC monitoring
Gap assessment
Implementation program and and change
configuration Roll-out, training,
— Strategy road map management
— Foundational elements communication
KPMG GRC Identification & scoping Roadm ap — Strategy — IT m onitoring
— Program management — User adoption
diagnostic — General focus areas deliverable — B uild and
— Client pain points
— B usiness requirements
before m oving configure — Training m aterials — End user
model — Functional space feedback
on to GRC (vendor) — Com m unication
gap docum entation plan and roll-out — IT change
program and — Test m anagement
— Test strategy
configuration — Deploy — B usiness
change mgmt

The KPMG difference

KPMG has extensive experience and a tested
methodology for delivering solutions across the
spectrum of governance, risk and compliance. We
differentiate ourselves through the following:

Expertise. Our team of subject matter professionals Track record of success. We have effectively assisted
have the skills and knowledge to provide multiple clients in implementing holistic, end-to-end
implementation and support services that meet varied GRC solutions, as well as in transitioning vendors with
GRC needs across a wide range of industries. little disruption.
Flexible methodology. KPMG’s GRC methodology Proven solutions. We identify and offer solutions that
enhances risk management programs, quality accelerate readiness and implementation activities for
processes, regulation- and industry-mandated core GRC applications, and our strongrelationships with
compliance programs, and corporate governance many providers help provide a cohesive experience for
initiatives, all tailored to each company’s specific needs. our clients.
Cross-disciplinary teams. KPMG creates cross- Knowledge of regulatory expectations. We understand
disciplinary teams to ensure the best possible outcome regulatory expectations and will bring our experience to
across the entire project lifecycle, including people and help future-proof your GRC investment.
change specialists who will support and enable the swift
integration of the GRC solution into your day-to-day
business.

Implement GRC technology the right way 3

© 2020 KPMG Advisory (Hong Kong) Limited, a Hong Kong limited liability company and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
Contacts
Alva Lee
Partner,
Risk Consulting
KPMG China
T: +852 2685 7780
E: alva.lee@kpmg.com

Jeffrey Hau
Partner,
Risk Consulting
KPMG China
T: +852 2685 7780
E: jeffrey.hau@kpmg.com

Paul Cheng
Director,
Risk Consulting
KPMG China
T: +852 2847 5075
E: paul.cheng@kpmg.com

kpmg.com/cn/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act
upon such information without appropriate professional advice after a thorough examination of the particular situation.
© 2020 KPMG Advisory (Hong Kong) Limited, a Hong Kong limited liability company and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved. Printed in Hong Kong, China.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.