The words Governance, Risk, and Compliance (GRC) carry a sense of reverence and anticipation for financial services stakeholders globally. This reaction makes sense given the regulatory history that we as a global economy have endured. The idea that controls may change, reminds us that we struggle to adhere to routine in an already overcomplicated business world. Even so, some industry professionals say that technology today has the answers, while others believe that technology will provide us with some real possibilities as it continues to mature. No matter which opinion you hold, GRC processes need to be simplified from a delivery standpoint to keep pace with the rate of change.
I am often asked two questions at presentations and speaking engagements:
How did this happen?
On the back end of the worst financial crisis in history and amid a feeling of despondency about the global economy, the compliance community saw banks losing their dominant position. FinTech startups entered the market with solutions that promised greater customer experience, cost reduction, and faster turnaround with low to moderate business interruption. In parallel, regulators tried feverishly to ensure their stronghold over the financial sector by issuing regulations targeted at banks with added layers of controls and expanded internal and external reviews. Interestingly, the GRC framework that sat at the center of this situation went unaddressed. The framework was put together as a reaction to global regulation or as a post-compliance failure remediation plan, but the systems that supported GRC often produced backward-looking reports that served to support examinations and audits rather than forward-looking strategic decisions.
Banks operational risk models largely relied on historic loss data and myopic scenario planning. Executive management started to predict regulator responses by using data that was in need of qualification. This approach brought penalties and assessments ranging from USD $1M-$20M, losses that were due almost solely to compliance failures.
As a result, most banks took up initiatives to simplify GRC and to introduce forward-looking analytics to help with risk-related decision-making.
The current state
In our go-big-or-go-home culture, some banks have implemented more than 1000 controls within their GRC framework. Excessive? Maybe. Industry compliance heads cited manual processes, antiquated systems, disparate communications between IT and the business, and duplication of effort as the reasons. A marginal group had shared that their banks were forward looking and incorporated analytics.One colleague even confided that big data was being used in early warning systems, or predictive analytics. However, the industry would benefit from an emphasis on smart data instead of the appeal of Big Data.
An industry recognized risk authority in the APAC region, points out that in the immediate term, more core processes are being digitized, and the industry should expect an increase in initiatives to simplify the GRC landscape and incorporate predictive analytics in an effort towards becoming a more agile and competitive bank of the future. He also explains that current regulatory initiatives such as the Standardized Measurement Approach (SMA) by the Basel Committee require banks to predict and contain operational losses to derive capital benefit.
When the question of long-term benefits came up, he affirms that organizations view risk as a set of discrete controls spread across the second line of defense and that drawing from diverse skillsets will lead organizations to transform their GRC program to achieve bigger, better, faster and cheaper results with the following business benefits:
Through this, it is fair to presume that GRC can accurately balance prudential requirements with optimization efforts within a sustainable compliance landscape.
The technology conduit
In a recent conversation, with a regulatory head of a think tank on next generation technologies and solutions, he concluded that based on specific needs, banks will do well to consider:
The future state
The future state is constantly being redefined and can't accommodate a one-size-fits-all response. While no one knows the perfect answer to these challenges, or whether there really is one, two things are clear:
Subscribe to keep up-to-date with recent industry developments including industry insights and innovative solution capabilities
Learn how Microsoft Customer Engagement Facilities are helping enterprises reach their cloud transformation goals.