SWISS GRC DAY 2018 Review

29 October 2018, 1:00 – 5:00 pm, Radisson Blu Hotel, Zurich Airport

SWISS GRC DAY 2018 – An Afternoon Focused on GRC


More than 200 participants took part in the 2nd SWISS GRC DAY at the Radisson Blu Hotel at Zurich Airport on Monday, 29 October. The considerable audience and their marked interest demonstrated the extent to which this relatively new special event, which is focused on governance, risk management and compliance, has struck a chord. In practical, solution-oriented presentations, the speakers addressed topics of concern such as cyber risk best practices, business continuity and crisis management, integrating and consolidating risk management and internal control, as well as the impact of digital transformation and the agility it necessitates. A case study and a live demonstration featuring an integrated GRC-Management software solution highlighted the best practice approach, to which the Swiss GRC Day is committed.


Besfort Kuqi, CEO, Swiss GRC, welcomed the audience and explained why the SWISS GRC DAY was created: to provide an opportunity to fully discuss and find out more about current issues, challenges and solutions in the domains of governance, risk management and compliance in Switzerland. He thanked the participants for their keen interest. He also expressed his gratitude to the speakers and to the moderator, Stefanie Egger, who ensured the afternoon ran smoothly.


“Are you prepared for a cyber-attack?” Roger Halbherr, Chief Security Advisor, EMEA, Microsoft, knows how to handle cyber risks. Organisations aren’t only confronted with hackers and malware, but with a multitude of attackers who each have their own agenda and methods. Further complicating matters is the constant evolution of these methods at the same time as new services such as the Cloud, SaaS, BYOD and IoT are posing new challenges to organisations. This means cyber security as a risk factor will continue to grow in importance, and finding the right balance between security and productivity will remain an ambitious goal. Rolf Halbheer advised organisations to strictly align their cyber security practices with their business activities. For him, cyber resilience is of utmost importance and he showed the audience how a resilient cyber security system can be created.


Albert Andrist, long-standing Head, Business Continuity, Mobiliar Gruppe, knows that only a closely coordinated business continuity management strategy can help when emergency strikes. He focused on the overlaps and differences between Risk Management and Business Continuity Management (BCM) and showed that these two fields can only function well in a complementary manner. Whereas Risk Management is responsible for keeping risks as low as possible, BCM ensures that any damage incurred is remedied as quickly and as efficiently as possible, so that business activities may continue. Being aware of these differences increases the chances of perfectly coordinating risk management and BCM, should the need arise.


Doris Andres, Chief Risk and Legal & Compliance Officer, Dextra Versicherung, shed light on the digitisation of governance, risk and compliance processes. Her case study showed that the GRC Toolbox created by Swiss GRC greatly simplifies the day-to-day business of an organisation dealing with highly flexible technologies and digitisation, customer-oriented solutions and strict FINMA regulations. Using concrete examples, Doris Andres showed how the GRC Toolbox not only easily meets the needs of her organisation, but is also audit- and FINMA-compliant. In fact, the tool’s efficiency has a highly positive effect on both time resources and costs. And last but not least, there are virtually no limits on its potential future applications.


Daniel Lucien Bühr, Partner, LALIVE Avocats and Philipp Lüttmann, Head of Corporate Compliance, BDO, provided valuable insight into Compliance Management according to the ISO 19600 standard and its integration into a risk and anti-corruption management strategy. Daniel Lucien Bühr provided an overview of the ISO 19600 standard, including the guidelines for introducing a Compliance Management System. These guidelines provide the basis for preventing illegal or irregular conduct by management and employees, and as such are a key component of effective GRC Management which lowers risks. In fact, effective compliance management based on international best practice is a must, especially in today’s world where organisations and management are subject more than ever to possible (criminal) investigation and corporate liability claims.


In the second half of the presentation, Philipp Lüttmann examined the core aspects of the ISO 37001 standard with regards to the implementation of a corruption prevention programme. He clarified its advantages, especially with regards to current anti-corruption legislation (e.g. UK Bribery Act). In particular, the standard provides definite benefits with regards to liability, reporting and reputation while offering whistle-blowers special protection. He then focused on organisational risks as outlined in ISO 31000 (risk management) and underscored the fact that, in general, certification creates trust.


“Has the Integrated Management System (IMS) become obsolete?” asked Zehra Sirin, Managing Director, Size Conses, and Thomas Haas, Partner, Size Conses. Their presentation focused on the potential areas of conflict between digitisation, agility and classical corporate management. Increasing volatility, uncertainty, complexity and ambiguity (VUCA) play a huge role in determining the type of management and control systems in an organisation. Agility is the order of the day. Sirin/Haas demonstrated that agility reduces risks. As well, they clearly showed what it means for an agile organisation to decentralise decision-making and management (“dual management system”). They provided recommendations for dealing with VUCA and resolutely answered their opening question with a “no”. In fact, the need for an integrated management system has become a crucial component of success due to increased complexity through VUCA.


Johannes Welser, Senior Consultant, Swiss GRC, provided attendees with a concrete example of a software solution for integrated governance, risk management and compliance. Before starting the live demonstration, he raised the issues which organisations are often confronted with, namely the lack of a centralised overview. This is often the result of a variety of stand-alone manual solutions, as well as the lack of buy-in into the company’s overall risk management strategy by all lines of defence. Johannes Welser provided solutions to these specific issues both in the interview and in the targeted live demo, during which the advantages of a specific GRC solution were clearly demonstrated.


Precisely how Risk Management and Internal Control can be integrated into an organisation and become an integral part of operations was demonstrated by Bianca Gebauer, Head, Risk Control, Post Finance and Pascal Zbinden, Head, Risk Control Services, Post Finance. They presented attractive solutions used by Post Finance which ensure their integration into current processes as well as their horizontal and vertical consolidation. The first task was horizontal consolidation, where the goal was to reduce outlay, overlap and inconsistencies. In order to do so, they first grouped all Risk Management and Internal Control functions together in a “Risk Control” Unit, before harmonising their activities. The standardised and consolidated management reports were a further result of this consolidation. By closely integrating the individual risks (bottom-up) with the largest risks (top-down), Post Finance was able to undertake a comprehensive risk assessment across all levels of hierarchy (vertical consolidation).


Many thanks:

Swiss GRC warmly thanks you for your interest and for having placed your trust in us. Do not hesitate to contact us if you have any questions or would be interested in a personal consultation, Phone: +41 41 921 23 23

We hope to see you at the SWISS GRC DAY next year!