Luxembourg-based Regtech Grace Connect has developed a Governance, Risk, and Compliance solution (GRC), which supports organizations and their employees in the implementation of a risk culture that complies with regulatory requirements.
What non-financial, i.e., non-quantifiable, risks are companies exposed to? Do they know how to identify, measure and prevent them?
“Non-financial risk is a qualitative risk, which is not covered by capital. However, it can put the organization at risk,” says Veronika Zukova. “These include for example reputational and liquidity risks, operational risks, cybersecurity risks, sabotage, power outages, privacy risks… The landscape of non-financial risks that a company faces is therefore extremely broad. ».
In 2020, she co-founded with Mr Reynaert, Grace Connect, a startup specialized in the management of non-financial risks.
Based in Luxembourg City in the LHoFT, the three-person Regtech is a member of the LHoFT, the ABBL (Association of Banks and Bankers, Luxembourg) and of the ALRiM (Luxembourg Association for Risk Management).
“We start from the regulatory standards required by the regulator to prevent and manage risks.”
Veronika Zukova, Founder of Grace Connect
Poor communication, bad tools
Often, the organization does not have a global view of the extent and impacts (low or high) of its non-financial risks, Veronika Zukova sees: “Each department tackling governance, risk and compliance issues creates its own risk reporting with its own data and information. But these departments don’t usually communicate with each other,” she notes. “In addition, their first bad reflex is often to create an Excel summary file, without quantifying or budgeting the amount of these potential risks. Hence, the organization ends up with a dozen Excel files that are difficult to manage.”.
In order to support organizations and their employees in the implementation of a risk culture that complies with regulatory requirements in force, the company has developed a GRC (Governance, Risk, and Compliance) solution, the Grace Connect GRC Suite (“GCGS”).
The tool identifies and manages non-financial risks – regardless of the size of the company or the complexity of its activities – in compliance with the directives and circulars issued by the Commission de Surveillance du Secteur Financier (CSSF) or the Commissariat aux Assurances, the two financial and insurance supervisors.
Jean-Louis Reynaert its creator has worked for more than 20 years in the management of non-financial risks within Big Four firms, for clients including insurers.
“We start from the regulatory standards required by the regulator to prevent and manage risks. We then review all aspects inherent in the company’s business, which we consider to be assets in the sense of security. Then we collect all the information that seems to determine the organization’s exposure to all the different types of risks,“ Zukova explains. “Risk management is cross-cutting in nature. We, therefore, interact with the control functions of the organization, the Audit, Risks, Compliance, CISO, DPO, Finance departments, etc. “.
The platform includes about fifty different modules, which deal for example with risk exposures in terms of GDPR, audit, or management of internal policies and procedures. The modules are linked together, in order to cover this transversality of risk. Once the risks are identified, Grace Connect offers mitigation solutions.
“The solution is customized with specific modules according to activities and types of risks.”
Veronika Zukova, Founder of Grace Connect
Working on NIS and DORA
The Regtech has recently developed a Privacy Impact Assessment module, dedicated to the impact assessment on personally identifiable information, an approach made mandatory in certain cases by the General Regulation on the Protection of Data (GDPR). It is currently working on an ESG module, which will be operational in the coming weeks.
“The solution is customized with specific modules according to activities and types of risks. Installation and integration are carried out by qualified partners trained to ensure a smooth implementation with the customer,” Veronika Zukova adds.
Grace Connect received the “Bis pitching cybersecurity startup” award for its approach and suite in October 2022, during the Luxembourg Cybersecurity Week. The National Cybersecurity Competence Center of Luxembourg (NC3) organized the event.
Last November, the Regtech ranked among the eight finalists of the 2022 ACA Insurance Innovation Awards. Organized in partnership with the Luxembourg House of Financial Technology (LHoFT), the event rewards the startup that has made the best contribution to the insurance industry.
In 2023, Grace Connect plans to further develop its solution and to hire cybersecurity experts as well as integrators to implement its application at customers.
The startup is also working on modules dedicated to the European NIS 2 Directive (Network and Information Security) and DORA (Digital Operational Resilience Act), two pieces of EU legislation on cybersecurity. NIS 2 will be mandatory in all Member States from 18 October 2024 on, followed by DORA on 17 January 2025.
Furthermore, Grace Connect was the official sponsor of the 11th GRC EMEA Forum held in Amsterdam on 20-21 April. The event brought together experts and thought leaders in governance, risk management and compliance.
Black swan
The company recently revised its logo, a blue swan with a black collar and head. This refers to the black swan theory, developed by the statistician Nassim Taleb, notably in his essay “The Black Swan”, which illustrates a cognitive bias in the perception of unpredictable events but with major consequences. According to Taleb, the event is a surprise to the observer.
This event is then a posteriori rationalized as if it could have been expected. This retrospective rationalization comes from the fact that the information that would have predicted the event was already present, but not considered by the risk mitigation programs.
