Gaurav Kapoor, Chief Operating Officer, MetricStream
Richard Pike, Risk Principal, and Holly Spencer, Senior Regulatory Consultant, Wolters Kluwer Financial Services
David Ridgway, Global Head of operational risk, BlackRock
The trend towards unified governance, risk and compliance (GRC) management systems is the single biggest development in the operational risk and compliance market in recent years. As regulators push for more stringent reporting requirements, and risk and compliance issues come under far more scrutiny from inside and outside the company, a recent Operational Risk & Regulation survey revealed that half of all financial institutions surveyed had either already bought GRC software or were considering buying it in the next 12 months. Proponents point to the advantages of abolishing the silo-driven oversight structures and replacing them with a single method of monitoring operational risk across every business unit in the company – making regulatory compliance and internal monitoring of risk easier and more reliable, and saving the wasted time and money associated with the duplication of internal monitoring, oversight and reporting in different silos and departments. Compliance with the Dodd-Frank Act requirements alone makes a strong case for simplifying, streamlining and improving risk reporting for any company that comes under the Act – and the same is true for European insurers preparing to comply with the Solvency II capital adequacy regime.
But introducing a GRC system – like any other major software system – is a significant project, and financial institutions need to be sure it will provide the benefits it promises in terms of both regulatory compliance and improved internal risk management and reporting. No less importantly, they need to know the pitfalls to avoid if the installation is not to become a costly failure. And they need to avoid treating the introduction of a GRC system as a technological quick fix – without the human support, at every level of the company, the system will be costly and useless – but getting support for a structural change of this size is never going to be an easy task.
Can a GRC platform help firms meet the challenges posed by the Dodd-Frank Act?
Richard Pike and Holly Spencer, Wolters Kluwer Financial Services: In recent years, with increased regulatory requirements like Dodd-Frank, organisations have had to expend significant resources to address risk, scrutinise their controls and analyse their business from a top-down and bottom-up perspective. With the increased demand for transparency around risk from the government, regulators shifted the risk assessment process from a ‘wait-and-see’ approach to an integral part of an organisation’s operational practices.
When done well, a GRC platform gives organisations the ability to identify, manage and mitigate internal and external risks to which they may be exposed, retrospectively or prospectively. Organisations with integrated GRC risk assessment processes are better positioned to capitalise on opportunities when they arise. Inevitably, this capability will help steer an organisation towards measurable, lasting success and longevity in today’s ever-changing regulatory climate.
David Ridgway, BlackRock: This would represent, in my view, a very practical application of GRC – a major, multi-dimensional and, more importantly, business-critical project that requires multiple groups at the table, working effectively together. I fear that a problem with GRC at the moment is it is not yet operating at this practical level.
Gaurav Kapoor, MetricStream:At a broad level, the Dodd-Frank Act calls for greater public transparency, higher market accountability, enhanced disclosure, more robust risk management and increased oversight – this is the essence of GRC. A GRC platform that facilitates a federated structure will ensure GRC programmes are well-aligned centrally and also distributed to lines of business, thus promoting ownership and accountability. Moreover, a GRC platform can clearly link and identify key processes, functions, risks and controls associated with the Dodd-Frank Act and highlight gaps as well as overlaps with other regulations ensuring efficient and sustainable compliance. The MetricStream solution for regulatory compliance management, which is part of the GRC platform, provides a common framework and an integrated approach to managing all aspects of regulatory standards and guidelines, including the Dodd-Frank Act, with embedded content libraries. The solution includes functionality for regulatory compliance management, regulatory examinations, regulatory intelligence, and alerts and policy management. The solution also comes pre-packaged with regulatory content, industry standards and best practices.