Managing risks that affect the business is a fundamental activity, as these risks influence an organisation’s performance, reputation and future success. With this, the enterprise governance, risk & compliance (GRC) framework is steadily becoming an integral and vital element for enabling financial institutions to operate profitably and effectively. In today’s environment, organisations have started to perceive the GRC framework as a tool to provide better corporate governance and performance, rather than it simply being a risk register of their assessments as it has been in the past.
Risk versus reward
Though risk/reward are two sides of the same coin, it is often looked at and managed in silos. The GRC framework in recent few years has become quite systematic, informative and advanced. It is increasingly becoming the tool of oversight for boards of directors. Hence, organisations are now trying to adopt much more coherent, board-led frameworks for GRC that communicate with all risk departments.
The GRC framework has also seen itself converging with financial crime and compliance systems of late. There are enough touch points between financial crime and compliance management systems and GRC systems to ensure a reduction in financial crime and operational risk losses, which is particularly significant following the recent bank scandals.
Compliance management within the GRC framework has also gained momentum. It has its natural interaction with operational risk, but of more value are the compliance workflows, which aid actual compliance execution, tracking and monitoring and, hence, interjecting compliance assessments with actual facts. There has been a shift in the compliance paradigm from being simply rule books to becoming comprehensive risk-based compliance management.
Though organisations are quite focused on risk and performance independently, and continue to improve these practices extremely effectively, the convergence of these aspects in order to add value to one another has been missing. Setting up the risk and performance objectives and then combining them with the right risk appetite levels could facilitate very useful business portfolio decisions against risk/reward, of which the figure below provides an illustrative example.
Business portfolio decisions
What is required to get there?
The most important aspect is the creation of a risk-aware and risk-responsive culture, one where risk is embraced in a very receptive, optimistic and proactive manner. Risk is as much about the right culture as it is about people, processes and systems. An aware and risk-responsive culture is one where risk is integrated with strategy setting and its execution. It is important to see the upside and downside impacts of an such an opportunity. Unfortunately, the benefits are so ingrained in us, we quite often overlook the downside impact in an effort to gain instant benefits. However, without sufficient oversight controls, risk appetite and a risk management framework integrated into your business, you will quickly find yourself in situations that will have long-term implications on the business, and especially on its reputation. So, with every new opportunity an organisation needs to identify and assess the possible events associated with the opportunity. It must evaluate how good or bad can it get, and whether it is OK to end up somewhere in between. A comprehensive risk analysis is required before stepping into every opportunity.
Addressing big data
While trying to balance the risk/reward equation, financial institutions and GRC professionals must tackle the modern-day opportunity of big data. The challenges to be faced and potential lessons to be learned can be huge for an organisation.
For example, how can GRC professionals collect, manage and analyse an enormous and disparate volume of data to create and manage their own actionable intelligence covering hidden signs and patterns of criminal activity, the early or retrospective violation of regulations/laws/corporate policies and procedures, emerging risks and weakening controls, etc.? Not exactly the stuff of James Bond, but certainly more applicable to most GRC professionals’ day-to-day challenges.
How can big data benefit the GRC process?
As revealed by recent Forrester research, high-performing companies – effectively, those that are growing 15% or more year-on-year compared to their peers – are taking a selective approach to investing in big data.
There is an ever-increasing volume of regulatory demands and fines for getting it wrong, limited resource availability and out-of-date or inadequate GRC systems all contributing to a higher cost of compliance and/or higher risk profile than desired – a big-data investment in GRC clearly falls into this category.
However, to make the most of big data, organisations must evolve both their business and IT procedures, processes, people and infrastructures to handle these new high-volume, high-velocity, high-variety sources of data and be able integrate them with the pre-existing company data to be analysed.
GRC big data clearly allows an organisation access to and management over a huge amount of often very sensitive information that can help create a more risk-intelligent organisation. This also presents numerous data governance challenges, including those of regulatory compliance and information security.
In addition to client and regulatory demands over better information security and data protection, the sheer amount of information that organisations deal with and the need to swiftly access, classify, protect and manage that information can quickly become a key issue from a legal, as well as technical or operational, standpoint. However, by making information governance processes a bigger part of everyday operations, organisations can ensure data remains readily available and protected.
The right GRC and big-data partnership is key
To make a big-data GRC initiative work and get the desired value, partnerships with companies that have a long history of success in delivering successful GRC solutions, as well as being at the very forefront of technology innovation, become key.
The solutions that stand out and should be explored are those that can seamlessly merge the traditional world of well-known data, analytics and visualisation with the new world of seemingly innumerable data sources, utilising big-data technologies to generate new GRC insights right across the enterprise. Ultimately, big data is here to stay, and organisations that embrace its potential and outline a viable strategy, as well as understand and build a solid analytical foundation, will be the ones that are best-positioned to make the most of it.
A blueprint and roadmap service for big data
Big-data adoption is first and foremost a business decision. As such, it is essential that your partner can align your strategies, goals and objectives with an architecture vision and roadmap to accelerate adoption of big data for your environment, as well as establish practical, effective governance that will maintain a well-managed environment going forward.
While your initiatives will clearly vary, there are some generic steps the team and organisation will be required to complete at the outset of the process:
- Clearly define your drivers, strategies, goals, objectives and requirements as they relate to big data.
- Conduct a big-data readiness and information architecture maturity assessment.
- Develop future-state big-data architecture, including views across all relevant architecture domains, businesses, applications, information and technology.
- Provide initial guidance on big-data candidate selection for migrations or implementation.
- Develop a strategic roadmap and implementation plan that reflects a prioritisation of initiatives based on business impact and technology dependency, and an incremental integration approach for evolving your current state to the target future state in a manner that represents the least amount of risk and impact of change on the business.
- Provide recommendations for practical, effective data governance, data quality management and information life-cycle management to maintain a well-managed environment.
- Conduct an executive workshop with recommendations and next steps.
There is little debate that managing risk and data are the two biggest obstacles encountered by financial institutions. Big data is here to stay and risk management certainly is not going anywhere, and ultimately financial services industry organisations that embrace its potential and outline a viable strategy, as well as understand and build a solid analytical foundation, will be best positioned to make the most of it.
For more information on Oracle Financial Services’ GRC solution, contact Matthew Long, Financial Crime and Compliance