The words Governance, Risk, and Compliance (GRC) carry a sense of reverence and anticipation for financial services stakeholders globally. This reaction makes sense given the regulatory history that we as a global economy have endured. The idea that controls may change, reminds us that we struggle to adhere to routine in an already overcomplicated business world. Even so, some industry professionals say that technology today has the answers, while others believe that technology will provide us with some real possibilities as it continues to mature. No matter which opinion you hold, GRC processes need to be simplified from a delivery standpoint to keep pace with the rate of change.
I am often asked two questions at presentations and speaking engagements:
- ‘How are leading financial institutions (FIs) addressing the simplification of GRC?’
- ‘What taxonomies are being integrated into the banking framework to simplify GRC?’
How did this happen?
On the back end of the worst financial crisis in history and amid a feeling of despondency about the global economy, the compliance community saw banks losing their dominant position. FinTech startups entered the market with solutions that promised greater customer experience, cost reduction, and faster turnaround with low to moderate business interruption. In parallel, regulators tried feverishly to ensure their stronghold over the financial sector by issuing regulations targeted at banks with added layers of controls and expanded internal and external reviews. Interestingly, the GRC framework that sat at the center of this situation went unaddressed. The framework was put together as a reaction to global regulation or as a post-compliance failure remediation plan, but the systems that supported GRC often produced backward-looking reports that served to support examinations and audits rather than forward-looking strategic decisions.
Banks’ operational risk models largely relied on historic loss data and myopic scenario planning. Executive management started to predict regulator responses by using data that was in need of qualification. This approach brought penalties and assessments ranging from USD $1M–$20M, losses that were due almost solely to compliance failures.
As a result, most banks took up initiatives to simplify GRC and to introduce forward-looking analytics to help with risk-related decision-making.
The current state
In our go-big-or-go-home culture, some banks have implemented more than 1000 controls within their GRC framework. Excessive? Maybe. Industry compliance heads cited manual processes, antiquated systems, disparate communications between IT and the business, and duplication of effort as the reasons. A marginal group had shared that their banks were forward looking and incorporated analytics. One colleague even confided that big data was being used in early warning systems, or predictive analytics. However, the industry would benefit from an emphasis on smart data instead of the appeal of Big Data.
An industry recognized risk authority in the APAC region, points out that in the immediate term, more core processes are being digitized, and the industry should expect an increase in initiatives to simplify the GRC landscape and incorporate predictive analytics in an effort towards becoming a more agile and competitive bank of the future. He also explains that current regulatory initiatives such as the Standardized Measurement Approach (SMA) by the Basel Committee require banks to predict and contain operational losses to derive capital benefit.
When the question of long-term benefits came up, he affirms that organizations view risk as a set of discrete controls spread across the second line of defense and that drawing from diverse skillsets will lead organizations to transform their GRC program to achieve bigger, better, faster and cheaper results with the following business benefits:
- Real-time intelligence: Effective and efficient decision-making, real-time risk monitoring and regular compliance and environment monitoring enable banks to apply policies and standards when they execute business processes to prevent non-compliance or the acceptance of risk beyond tolerable thresholds and predict the impact of change.
- Better decision-making posture: Analytics-led early warning signals in loss detection and reconciliation, along with digitization of the core systems in the medium term, provide the organization with precious time to craft the best action plan.
- Consistency: Removal of overlap in activities, controls and responsibilities, legacy complexity and duplication of efforts generates real-time control intelligence through internal control automation and automated controls testing.
- Enhanced competitive awareness: Digitization to support and regulate the bank of the future instills greater agility for competition against disruptors.
- Cost optimization: Simplification, digitization and automation bring reduced expenses and enhanced operational efficiency.
Through this, it is fair to presume that GRC can accurately balance prudential requirements with optimization efforts within a sustainable compliance landscape.
The technology conduit
In a recent conversation, with a regulatory head of a think tank on next generation technologies and solutions, he concluded that based on specific needs, banks will do well to consider:
- Using process modeling to achieve process simplification
- Implementing straight through processing (STP) where applicable to reduce overloads and eliminate bottlenecks
- Using both cognitive and predictive analytics to detect process anomalies and streamline opportunities
- Exploring automation possibilities for rule-based, repetitive processes, including controls testing
- Using cognitive techniques like image, biometric and voice recognition to simplify processes
- Using deep learning techniques to reduce false positives and for decision support
The future state
The future state is constantly being redefined and can’t accommodate a one-size-fits-all response. While no one knows the perfect answer to these challenges, or whether there really is one, two things are clear:
- An ideal future state should build on harmonized frameworks and a simplified set of controls to streamline predictive analytics. One of the pillars of simplification is to harmonize taxonomies, which at its core is the GRC framework of any FI.
- FIs have often used different taxonomies for operational risk, security, fraud, compliance and so on, producing irreconcilable or inconclusive risk assessments. A rule-based approach is appropriate for some risk elements, whereas a risk-based approach may be appropriate for others.