A new OpRisk&Compliance intelligence survey indicates that while governance, risk and compliance frameworks are extremely popular and desirable, risk and compliance executives face substantial challenges in implementing them.
A new survey, sponsored by risk consulting firm Protiviti, shows most executives have a very traditional view of a governance, risk and compliance (GRC) framework – it contains operational risk (89%), credit risk (70%), and market risk (65%). Financial reporting compliance (36%) and IT governance (38%) were less popular components. Regulatory compliance (59%) and strategic/business risk (47%) weighed in somewhere in between, in terms of what firms have actually implemented.
Respondents also believe that GRC platforms should contain risk and control self-assessments (77%), loss data and collection management (73%) and key risk indicator (KRI) monitoring (67%). Fancier components, such as a performance management tool that linked key performance indicators to corporate objectives, have been implemented by only 36% of respondents, while online remediation or issue tracking occurs at 34%. Even scenario analysis functionality is implemented at only 41% of respondents.
Most of the respondents agree that aggregating enterprise-wide risks and reporting them to executive management through a common risk language (76%) is important, but only 52% do this at their firms. As well, respondents said that it is important that various team involved – including legal, compliance, enterprise risk, and internal audit – periodically communicate with one another with respect to planning and execution, even if they perform their activities independently (71%). Interestingly nearly 66% claim to do this at their firms already.
But then there is more than a 10 percentage point drop-off, with 59% of respondents indicating that it is important for enterprise risk and compliance oversight to be centralised under one chief compliance or risk officer. Only 46% said that their firms have this structure in place.
Also, 59% said that it was important that their risk management teams document policies, procedures, risks and controls on a single platform to ensure consistency while leveraging each others' efforts, but just 39% do this. And only 43% indicated that it was important that risk information housed across disparate systems are incorporated into a single platform via key risk indicators or other reporting metrics – just 25% said their firms do this currently.
So while progress is being made at firms in terms of implementing a GRC framework, there is still a mountain to climb. "The key to implementing a successful GRC programme is top-to-bottom buy-in across the organisation," says Protiviti's Scott Wisniewski. "Executive management must see value and champion the cause. Risk management teams will need to give up a degree of control over their specific domain and be willing to speak the same risk language. In developing a common risk language, successful organisations recognise that a given risk may impact the organisation's ability to govern, manage risk, or comply with regulations all at the same time. Because risks are not mutually exclusive across GRC domains, it is imperative to drive ownership into the business. For this reason, the business units must accept ownership of their risks and actively participate in the risk management process."
Interestingly, when asked what the key barriers were to implementing a GRC framework, executives indicated that all of the suggested barriers were of near equal importance – perhaps hinting at the frustration they are feeling. The highest barrier was "high cost of implementation with lack of demonstrable return on investment", with 56% of respondents selecting this phrase. Second highest, at 51%, was the lack of a single vision and common language for managing risks across the organisation. Tied for third, at 40%, were "change management within the organisation to support tighter coordination across risk management teams," and "lack of adequate technology solutions to facilitate execution of integrated GRC activities".
Indeed, echoing these responses but in reverse, those who filled in the survey indicated that the key success factors for a GRC programme were the development of a common methodology or approach to GRC activities across enterprise risk areas (64%) and the ability to articulate and demonstrate the value proposition (62%). Coming in a close third was the need to implement a single GRC technology platform to facilitate documentation, communication, assessment and reporting across GRC activities and enterprise risks. According to an executive who responded to the survey: "Enterprise-wide risk management solutions to cover the generic risks and computation of economic capital would allow us to achieve significantly greater value."
However, not all respondents agreed with this last point. One wrote: "Don't see technology as a high priority issue from an ERM perspective. The challenge is more to do with getting business on board and have a common language that business with no risk background can understand."
"There are both quantitative and qualitative advantages to implementing an integrated GRC programme, says Wisniewski. "A quick win with respect to ROI is to determine the potential reduction in centralised risk management resources, supporting IT resources, and licensing/maintenance fees that can be achieved through an integrated approach and utilisation of a single technology platform. Implementation of a single GRC programme should also reduce the amount of time spent gathering and producing information for external parties such as auditors and regulators."
About one-third of firms (34%) have already implemented a GRC technology system, while another 22% say they are intending to implement a platform but have not yet done so. Another 22% say they are considering a GRC platform but haven't yet made up their minds, while a surprisingly high 22% say their firms are not considering a GRC tool. The vast majority of those who have implemented a GRC tool say they are satisfied with the product they have.
So, given the results of this survey and the challenges faced by firms when it comes to implementing an enterprise-wide GRC framework, a natural question to ask is how the software space will evolve over the next 18 months to two years, to meet the needs of the financial services firms.
"GRC technology vendors have, to date, concentrated on developing the architecture and workflow to manage the GRC process itself," says Wisniewski. "As the results of the survey would suggest, integration has mostly involved the relationship of data housed natively within the platform, for example, RCSAs, loss data and KRIs. While nearly 70% of respondents indicated that they'd implemented a KRI monitoring program, only a quarter currently aggregate risk information housed across disparate systems through a single platform via KRIs or other reporting metrics. Consistent with the theme of integration and the importance of driving ownership into the business, GRC technology platforms will expand their reach into the business and function as the central consolidator of risk or performance metrics originating from multiple systems across the enterprise."
Certainly, the results of this survey show that the GRC sector is a rapidly evolving one, and that thorny challenges that are being faced by financial services firms have only part-solutions at the moment. However, the enthusiasm for GRC is unmistakable. Firms are for the most part keen to put these enterprise frameworks in place to help better manage risks and improve overall business performance.