Luc Brandts, Chief Technology officer and Founder, BWise
Lisa White, Audit Partner, RBS Group Internal Audit
Jean-Marie Zirano, Vice-President in charge of Product Strategy, MEGA
With the worst of the financial crisis now past, banks are again turning their attention to governance, risk and compliance (GRC) frameworks. A survey published in the June 2011 issue of Operational Risk & Regulation found that 50% of financial institutions either had a GRC system in place (38%), were installing one (7%) or were planning to buy one within the next year (5%). Many companies say the ever-growing regulatory reporting requirements are pushing them to rebuild their GRC functions and centralise risk and compliance reporting. But, implementing a GRC system can be a major undertaking and can bring its own operational risks, and it is often difficult to persuade the rest of the company that the expense and upheaval are necessary.
What are the main benefits that an institution would see from implementing a GRC programme?
Luc Brandts, BWise: The main benefit is that you, as a business, are in control. Rather than reacting to every new regulatory initiative or new risk management need, you can transparently report to your regulators, auditors and senior management. Thus, you can steer your company in the right direction and you can reduce costs.
Lisa White, RBS Group Internal Audit: I think there are other benefits of having an integrated system, such as having the ability to have one version of the truth across the company. Having all of the information in one place enables you to really get to the bottom of your key risks as a company and determine what your executive committee should be focusing on. And, particularly in financial services, but in other industries like the car industry as well, it shows your stakeholders they can have confidence in your safety and soundness as a firm.
Jean-Marie Zirano, MEGA: We are talking about companies, particularly in the financial industry, that need to make sure they are not going to be out of business tomorrow. Of course, that means more controls in their GRC programmes and in each of the audit, operational risk management and compliance departments. The obvious benefits are reducing costs and saving time. We also need to think about the business people who are behind these programmes who are considering the cost of these programmes and expect tangible benefits. And I think one of the main quick wins they can also gain from these GRC programmes is the clarity of their business processes.
Where does compliance with new regulations – such as the Dodd-Frank Wall Street Reform and Consumer Protection Act – fit on that list of benefits?
White: It is integral to have a GRC system in place. What you tend to find is people adopt new regulations on a very siloed basis, particularly in larger companies. A GRC system gives you visibility across the company of how regulations are being implemented, and also interpreted, and what residual risk is left at the end of it. In order to get something like Dodd-Frank – which is more than 2000 pages – disseminated across a business in a consistent way, it is integral to have a GRC system.
Brandts:It is important, rather than starting from the point of view of the regulations, to take yourself as a starting point. You organise in such a way that compliance comes as an end result, rather than the other way around. Because if you do this, then the next regulation coming out next year or in the next two years will not surprise you, it will simply be an addition to the work you have already done. What are regulators asking you to do? Sometimes they are very specific, but most of the time they are saying ‘we want you to be in control and, when you are not, to be able to report it to us’.