A more volatile global business environment was what prompted industrial technology giant Honeywell to take a long hard look at the current state of its governance, risk, and compliance (GRC) processes.
All the company’s board members “saw the headlines on global security issues,” observed Pablo Hernandez, director of IT and technology audit at Honeywell. “They asked, what about us? What are we doing to manage our security globally?” He shared his company’s journey to streamlined and standardized GRC processes in a recent Webcast hosted by Compliance Week. (Listen to the full Webinar here.) There are valuable lessons learned here for finance execs, who need to understand the importance of embedding compliance within business processes and policies and managing risk while anticipating change.
Pablo explained that among the challenges Honeywell faced going into the project was increasing complexity in regulations, as well as “compliance fatigue.” The organization, like many global companies, has grown through a combination of organic means and M&A. Consequently, standardizing GRC processes was difficult because many of the businesses it acquired each had a different way of working.
Working toward one view of risk
With nonstandard GRC processes scattered across the business, Honeywell aimed to have one view of the risks across the company. “We wanted to have one place, one ecosystem where we would be able to see our compliance posture – how well we’re doing, where the risks are… and having it one place so that we can quickly report on it,” said Pablo.
To achieve this monumental task, the company gave itself a strict deadline: eight months to implement and roll out a new way of managing GRC. This approach would include greater standardization and automation with the aim of improving transparency and increasing efficiency. To help it achieve this ambitious timeline, Honeywell brought in EY and leveraged integrated GRC solutions from SAP.
A more efficient process
“Typically, customers view GRC as an access- or process-related task or a risk management-related implementation. However, taking a broader enterprise perspective is much more efficient, effective, and economic,” noted Mitesh Chugh, a senior manager within Advisory Services at EY. Mitesh was among the team of consultants who advised Honeywell in overhauling its GRC processes.
The team focused on redesigning and streamlining all the company’s control processes, leveraging state-of-the-art GRC solutions for automation. They aimed to reduce the number of controls by 50% and automate them by 50%. Once this was accomplished, they were able to cut down control testing time from 1,800 hours to only 450 hours. Pablo considers this a great achievement. “This was time better spent on generating revenue and on things that really matter to our customers,” he remarked.
Making it easy for stakeholders
With the implementation of the new integrated GRC solutions, the team was able to quickly identify and address issues across the business. Now, they had a centralized “single version of truth.”
They also were able to generate reports faster, which increased the efficiency and productivity of the team. “To be able to operate a multinational company in different jurisdictions … and trying to gauge the health of the firm, took a significant amount of time. Now we can present that in near-real-time in a visually appealing manner,” Pablo said. Configurable fields for reports also gave Pablo and his team the flexibility to create customized reports for stakeholders in various levels and functions.
Pablo also pointed to the interactive forms feature as a great resource to get quick feedback from multiple stakeholders. These interactive forms enabled them to do offline processing without needing to log into the system. The team now uses these forms to do policy surveys, management representation letters, and balance reviews, among many others.
Lessons from the battlefield
Although the company still has a lot of future plans to further optimize GRC processes, Pablo and his team already have many lessons learned from their experience so far. He shared some of them with the Webinar attendees.
Notable was the need to obtain executive sponsorship for the GRC vision, strategy, and roadmap. Executive support is important in setting the tone and strengthening the culture of adoption, Pablo mentioned. It’s also very important to implement the standard GRC solution and to avoid customizing. “You can configure, don’t customize,” he advised. This ensures that you don’t have problems in the future when there is an upgrade or a new service pack.
“Standardizing, Streamlining, and Automating Controls: Honeywell’s One View of Risk Program” was hosted by Compliance Week assistant director of events Tsvetelina Gabin. For a more in-depth look at how Honeywell implemented its “One View Risk” Program, you can access the full Webinar hosted on demand by Honeywell, SAP, and EY here.
You can also view here the customer testimonial video by Honeywell’s Pablo Hernandez, “Gaining a Single View of Risk and Controls with SAP Solutions for Governance, Risk, and Compliance.”