Home
Digitalization of internal control

Digitalization of internal control

How to choose the right Governance, Risk, and Compliance (GRC) solution?

As new players have entered the market to help companies digitize their internal control, the time is ripe for reflection on the most appropriate solutions, starting with Governance, Risk & Compliance (GRC) software.

Here are some ideas for thinking.

Solutions needed to support the deployment of internal control

The vast majority of French companies (80% of companies in the CAC 40, excluding the financial sector, and the CAC Next 20) have set up a common internal control framework, supported by self-assessment campaigns. This is highlighted in our analysis of annual filings by companies.

Most large companies have a CRM solution. But the solutions in place are not always seen as the best showcase of the company’s internal control digitization: they are not necessarily integrated with other risk management applications, access for operational staff is not always easy, lack of sufficient licenses or a satisfactory user experience...

The application landscape evolves with new players to meet the need

The landscape of tools and especially tooling needs has changed a lot.

Beyond the historical solutions, developed mainly for SOX and LSF, other players have positioned themselves on internal control features. For example, Diligent which took over Galvanize, Workiva historically present on the annual documents, and Blackline which completed its offer, and ServiceNow which arrives in the landscape, or OneTrust!

Other more recent and smaller players are positioning themselves, particularly in France, with more targeted solutions.

This new range of solutions invites reflection on the tool to choose for internal control, involving other functions of the company, which have related digitization challenges: internal audit, risk management and compliance, cyber, CSR, data protection officer (DPO), ...

Should we opt for a single solution that meets the expectations of all these functions?

The tools we have explored rarely offer a perfect solution to meet the needs of all directions.

Benchmarks are evolving rapidly, especially as positions are partly based on declarative processes, not always representative of the reality of the adequacy to specific needs.

Our conviction is that it will most often be necessary to build an application landscape composed of several solutions, the main thing being to ensure the interoperability of these solutions and to facilitate the obtaining of a global vision.

For internal control functions, an integrated approach with risk and internal audit functions will often be more relevant - our analysis of the 2021 annual documents shows that 45% of the non-financial companies of SBF 120 have an internal control function grouped with another Directorate, often risk and/or internal audit. This reinforces the need for a common approach to risk repositories or the monitoring of action plans.

5 golden rules for choosing a CRM solution

When a company embarks on a project to acquire or change CRM tools, it can follow these 5 golden rules to guide its choices:

  1. Develop a medium- and long-term vision of candidate use cases, with a clear understanding of pricing models;
  2. Simplify the end user experience: the main interface of the function with employees, the tool must integrate facilitating functionalities, for example the ability to attach several “problems” to the same action plan;
  3. Think about the ease of implementation and configuration: specific developments are often no longer possible, configuration is in many cases by hand internal control functions;
  4. Focus on deployment agility and progressive integration of use cases, identifying interdependencies from the outset;
  5. Ensure agile data connection capabilities, to be able to integrate a dynamic view of risks and controls.

When developing proof of concept (POC) corresponding to the main candidate use cases, it will be necessary to have an important focus on the user experience. For example, by introducing the experiences offered by some solutions to end users before drafting specifications.

Finally, even if cost remains an important element, pricing models - especially in the cloud - must be compared with the expected time savings and efficiency gains for all internal control actors, beyond the function itself.

© 2023 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity.
Please see www.pwc.com/structure for further details.

The PwC Store uses open source software.