Gaurav Kapoor, Chief Operating Officer, MetricStream
Richard Pike, Senior Market Manager for Europe, the Middle East and Africa, Risk and Compliance, Wolters Kluwer Financial Services
Jean-Marie Savin, Group Head of Operational Oversight, BNP Paribas
What should firms consider when deciding whether to implement a governance, risk and compliance (GRC) system and which one to pick?
Jean-Marie Savin, BNP Paribas: Many things need to be considered. First, the balance of usage between central needs and local ones, which will drive the approach to issues such as the granularity of the information to be processed and the level of local customisation, especially with regard to regulation. Second, the availability and quantity of data, which will help to determine the level of automation in data provision that you will be able to include, and will help to anticipate any performance issues. Third, change management – the ability of the software to be easily adaptable to new requests, through standard functionalities (avoiding the development of specific applications for every new reporting requirement), and the company’s capacity to handle the changes caused by the implementation of a GRC system in the organisation through the standardisation of practices, transparency and analysing over-production of reports.
Richard Pike, Wolters Kluwer Financial Services: Financial services firms need to have a programme that identifies, monitors and effectively controls non-financial risks across their operations. For financial institutions, GRC systems can provide solutions to manage their entire operational risk and compliance programmes, according to industry regulations and best practices. These solutions allow them to have a holistic view of the entire risk and compliance process at their fingertips, enabling them to make the right decisions at the right time.
An effective GRC solution needs to be relevant and consistent. It should be designed and built specifically for the financial services industry – as this industry has very specific needs and challenges – and provide the ability to link regulations, policies, procedures, risks and controls with tests and audits to ensure a consistent view of the entire programme. It should be flexible enough to react to ever-changing regulatory and business environments. It needs to enable the division of roles and responsibilities throughout the institution – front, middle and back office – and requires a very clear user experience that is specific to each of those roles and responsibilities. It should also be provided by a company with significant expertise and resources in the financial industry that is used by financial institutions around the globe.
Gaurav Kapoor, MetricStream: In today’s organisations, GRC systems are a critical means to an end, which is the successful achievement of business objectives. Firms should clearly define their business objectives and then implement a GRC system that would help them achieve those objectives.
To determine the level of GRC capability required, firms should first assess what level of risk management is desired relative to the risk tolerance and risk appetite of their business. Firms should evaluate the level of integration and collaboration between different assurance functions and business groups that they are looking to achieve in the near and long terms. Point solutions for managing specific areas of risk – such as compliance, anti-money laundering or IT security – might be able to address an immediate regulatory need. However, even in the near term, they are bound to fail as they do not provide a holistic view of risk management, which is essential for making strategic business decisions. For greater visibility into enterprise-wide risk exposure, organisations must consider a fully integrated GRC system.
There are several GRC tools, ranging from those that focus on specific areas of risk to scalable systems leveraging an integrated platform for all GRC areas – operational and enterprise risk, regulatory compliance, supplier governance, internal audit, IT risk, business continuity and Sarbanes-Oxley compliance management. The integrated approach helps to meet GRC needs in a sustainable manner, whereas point solutions only aggravate the problem by creating information silos in addition to existing organisational silos. Organisations need to avoid this pitfall and aim towards an integrated GRC programme, even though the implementation itself might be phased, so that a common information model can be leveraged across the organisation.
How has more aggressive financial regulation affected GRC? How should regulators be involved in developing attitudes towards GRC?
Savin: More aggressive financial regulation has strengthened the need for GRC systems and for a global GRC system in large institutions. But regulators should remind the industry that GRC is a tool and not the end – the goal is not to produce reports but to analyse them and derive actions from them.
Pike: The new approach to financial regulation will have a profound effect on GRC systems. The main regulators’ objectives and thinking have deliberately been re-focused towards a proportionate and dynamic risk-based approach. This risk-based approach is one that is integrated and holistic towards all aspects of risk management and that provides for the effective use and allocation of resources.
In essence, a good GRC system is now crucial in ensuring that firms develop and maintain sufficient awareness, understanding and articulation around all the important aspects of their own risk management arrangements and governance controls.
Regulators are key in two areas of GRC: They should increasingly expect to see good-quality governance processes and systems. They should not be happy to see a hodge-podge of manual processes and systems that purport to control the risk and compliance processes. They should be looking for a joined approach supported by a combined framework and system.
And they should start to engage with the industry on the development of a set of data standards and taxonomies around risk and compliance that ensures the homogeneous data in this area can be organised, reported and mined for information both by industry participants and by the regulators themselves.
Kapoor: Based on recent market experience, regulators have clearly pointed out that failures and losses occur because management does not have real-time risk data. Moreover, lack of integration makes it difficult to correlate information effectively. Regulators have broad industry data and are using it to set expectations, share best practices and warn businesses of what should be avoided.
Aggressive financial regulations such as the Dodd-Frank Act have increased the need for firms to have more risk-related information, both at the enterprise level and at a granular level – for example, to comply with consumer protection laws. There is also a great need for reporting risk information to stakeholders and regulators. To help financial institutions in this endeavour, regulators can clarify the type of information required for industry risk monitoring, and also share best practices in risk management. This includes listing the types of risks and methods for monitoring these risks, which can be incorporated directly into a robust enterprise GRC tool to help track and initiate corrective management actions.
How can GRC systems and policy affect the efficiency of investigations into operational risk incidents such as fraud or rogue trading?
Pike: The key point about reporting and investigating loss events is context. If a large loss is reported but it turns out there was already an awareness that controls were sub-standard and there was a project in place to improve them, then that is a very different matter to a large loss being reported in an area where the business didn’t even think it had a risk.
Well-designed GRC systems that link data can provide this context automatically, making decisions about the next steps far more efficient and effective. They can also help to understand whether a problem is systemic or merely local. In the case of a fraud perpetrated in the payments area, a high-quality GRC system should enable you to quickly review the status of the controls in the other payments areas of the business and review testing, loss data and audit information for those similar processes.
Savin: I am not sure GRC would be very helpful in investigating incidents, if this means understanding and gathering evidence. But GRC would be very helpful in understanding and correcting failures in the risk and control management framework that may have led to the incident under investigation.
Kapoor: Integrated GRC systems, can be highly effective in aggregating information related to the incident. This information includes key risk indicators designed to prevent or detect potential fraud, as well as assessments of controls designed to mitigate a particular risk.
A properly configured, robust enterprise GRC system that links specific risks to related metrics, expected control mitigants and historical issues will provide a 360-degree view of the risks. It also helps uncover the causal factors and identify opportunities. For example, the system could be used to collect human resources information related to traders who have not taken mandatory time off. This information could then be combined with reports of IT access breaches along with financial metrics dashboards that show nominal positions exceeding trading limits all linked to the same trader. A GRC system brings all of this information together for a chief risk officer to view and act on the results.
Is regulatory uncertainty a reason to implement GRC systems, or a reason to delay until more clarity is reached?
Kapoor: There is no end in sight for regulatory revisions or the introduction of new regulations. Companies that implement a GRC solution are better positioned to cope with this trend as they continue to use risk data as a basis for making more informed decisions. It also enhances the ability to respond to regulatory changes in a systematic and sustainable manner.
Firms should make an investment in GRC to mitigate known risks because, if these risks can happen, they will happen. Historically, losses in share value have been correlated to human judgement such as rogue trades or misplaced ‘bets’, as well as reputational risks and regulatory fines for non-compliance. Generally, the introduction of a new regulation is a reaction to risks that already exist. So, if a firm is implementing GRC to merely follow a regulation, the firm is doubly behind the curve with respect to strong management. GRC systems provide a proactive response to regulatory changes.
Savin: In my opinion, it is certainly true that GRC is strongly promoted by regulators, but it is useful in itself, so we should move forward whatever the regulatory uncertainty.
Pike: Regulatory uncertainties are key drivers in the need to implement a GRC system. Such a system should not rely on one or more particular pieces of legislation but on the firm’s overall ability to manage risk and compliance across all regulations. By reacting to regulatory change and implementing a set of one-off tactical solutions, a firm will increase costs and quickly find itself in a tangle of internal processes, controls and systems with no ability to provide assurance to investors or regulators that it is actually in control of its entire compliance process.
How has the case for GRC changed over the past few years?
Pike: The case for GRC has grown exponentially recently due to the change in regulatory focus that is emerging. The focus on risk-based approaches and on the governance of a process by the regulators requires a good GRC system in a financial institution.
In particular, this system should provide invaluable support for a number of transparent and tangible evidential governance elements and processes required by the regulators. It should provide a dynamic business and operational risk profile reflecting the nature, scale and complexity of the firm’s activities and operations. It should also include a workable and embedded methodology for the realistic identification and assessment of risks and exposures. It needs to involve the application of an appropriate and effective risk-based approach towards initial and continuing controls processes. It should deliver and maintain arrangements and obligations that support and address the broader systems and controls. It should contain an embedded framework and approach to forestalling risk, which is suitably reflected in internal training, culture and systems. Finally, it should provide an effective oversight and decision-making structure supported by relevant and meaningful reporting and management information that affirms and assures adequacy and effectiveness, and facilitates clear and timely action management on gaps and shortfalls.
Kapoor: It has become increasingly clear that better risk intelligence and timely corrective actions against known risks have saved firms from significant losses. The converse has been proven to be true as well: delays in the detection of risks and slow action against them have exacerbated losses.
Today, global interconnectivity between businesses has served to increase the severity of certain risks. With new regulatory requirements stemming from the financial crisis and the administration’s focus on increasing government intervention, the sheer volume of risk and compliance management responsibilities have exponentially increased over the past few years.
The implementation of an enterprise GRC programme can be leveraged as a rallying cry across the organisation, and can drive awareness about the inter-relatedness of risks. For years, credit losses were considered credit risks, but today there is a broader understanding that credit risks and related losses are often the result of operational risks such as collateral monitoring and fraud. As organisations and products become more complex, collaboration and heightened awareness on GRC have become more important than ever.
Click here to view the article in PDF format.