23 Jun 2011, Alexander Campbell, MetricStream , Wolters Kluwer , Operational Risk & Regulation
Gaurav Kapoor, Chief Operating Officer, MetricStream
Richard Pike, Risk Principal, and Holly Spencer, Senior Regulatory Consultant, Wolters Kluwer Financial Services
David Ridgway, Global Head of operational risk, BlackRock
The trend towards unified governance, risk and compliance (GRC) management systems is the single biggest development in the operational risk and compliance market in recent years. As regulators push for more stringent reporting requirements, and risk and compliance issues come under far more scrutiny from inside and outside the company, a recent Operational Risk & Regulation survey revealed that half of all financial institutions surveyed had either already bought GRC software or were considering buying it in the next 12 months. Proponents point to the advantages of abolishing the silo-driven oversight structures and replacing them with a single method of monitoring operational risk across every business unit in the company – making regulatory compliance and internal monitoring of risk easier and more reliable, and saving the wasted time and money associated with the duplication of internal monitoring, oversight and reporting in different silos and departments. Compliance with the Dodd-Frank Act requirements alone makes a strong case for simplifying, streamlining and improving risk reporting for any company that comes under the Act – and the same is true for European insurers preparing to comply with the Solvency II capital adequacy regime.
But introducing a GRC system – like any other major software system – is a significant project, and financial institutions need to be sure it will provide the benefits it promises in terms of both regulatory compliance and improved internal risk management and reporting. No less importantly, they need to know the pitfalls to avoid if the installation is not to become a costly failure. And they need to avoid treating the introduction of a GRC system as a technological quick fix – without the human support, at every level of the company, the system will be costly and useless – but getting support for a structural change of this size is never going to be an easy task.
Can a GRC platform help firms meet the challenges posed by the Dodd-Frank Act?
Richard Pike and Holly Spencer, Wolters Kluwer Financial Services: In recent years, with increased regulatory requirements like Dodd-Frank, organisations have had to expend significant resources to address risk, scrutinise their controls and analyse their business from a top-down and bottom-up perspective. With the increased demand for transparency around risk from the government, regulators shifted the risk assessment process from a ‘wait-and-see’ approach to an integral part of an organisation’s operational practices.
When done well, a GRC platform gives organisations the ability to identify, manage and mitigate internal and external risks to which they may be exposed, retrospectively or prospectively. Organisations with integrated GRC risk assessment processes are better positioned to capitalise on opportunities when they arise. Inevitably, this capability will help steer an organisation towards measurable, lasting success and longevity in today’s ever-changing regulatory climate.
David Ridgway, BlackRock: This would represent, in my view, a very practical application of GRC – a major, multi-dimensional and, more importantly, business-critical project that requires multiple groups at the table, working effectively together. I fear that a problem with GRC at the moment is it is not yet operating at this practical level.
Gaurav Kapoor, MetricStream:At a broad level, the Dodd-Frank Act calls for greater public transparency, higher market accountability, enhanced disclosure, more robust risk management and increased oversight – this is the essence of GRC. A GRC platform that facilitates a federated structure will ensure GRC programmes are well-aligned centrally and also distributed to lines of business, thus promoting ownership and accountability. Moreover, a GRC platform can clearly link and identify key processes, functions, risks and controls associated with the Dodd-Frank Act and highlight gaps as well as overlaps with other regulations ensuring efficient and sustainable compliance. The MetricStream solution for regulatory compliance management, which is part of the GRC platform, provides a common framework and an integrated approach to managing all aspects of regulatory standards and guidelines, including the Dodd-Frank Act, with embedded content libraries. The solution includes functionality for regulatory compliance management, regulatory examinations, regulatory intelligence, and alerts and policy management. The solution also comes pre-packaged with regulatory content, industry standards and best practices.
What do you look for in a GRC provider?
Pike and Spencer: An excellent GRC provider should have a number of traits. It should be stable and sound – GRC is a relatively young practice that requires heavy investment and a long-term view of the market in order to succeed. This requires an established provider with the ability and resources to continually invest in its GRC offering so that it changes to meet your needs.
It needs to understand risk and compliance in all of their facets. Many GRC providers have arrived on the scene with an understanding of only one GRC area, such as audit or Sarbanes-Oxley compliance. To truly understand GRC, a provider must have clients and internal experts for all parts of GRC, and must be able to leverage those assets in the development and implementation of their solution.
It is also vital that your provider has a vision of GRC business practices and how they might be implemented. Although most clients have their own vision and approach, it is important that a provider’s products and services have a cogent methodology behind them. This does not mean that a system cannot be tailored to meet your requirements, merely that a provider should add value to your implementation.
Finally, a provider must understand your business. Risks are only relevant in the context of your business objectives. Pharmaceutical companies, for example, are concerned about different risks and regulations to those that banks are concerned about. Many GRC providers simply provide generic tools and have no clear understanding of their clients’ business. It is vital that your provider be focused on your industry so it can provide a solution that meets your needs.
Ridgway: When we looked at the market, we had some key considerations. Has the tool really been designed as a GRC system or is it just a number of different modules that a provider is trying to glue together? Is the provider able to articulate what GRC is and its potential benefits? And reflect this in tool design now and for the future? We need flexibility to enable us to configure a GRC system to reflect our business, and the system needs to reflect the fact that multiple control functions will need to use it and, therefore, needs a range of tools that can talk to one another. It needs to have a structure that allows each control function to do its job, but knits together at the top, and cost is a major consideration.
Kapoor: An effective GRC system must allow for seamless collaboration, easy decision-making and increased transparency between different business units and functional groups such as internal audit, operational risk, enterprise risk, regulatory compliance, financial and legal. The system should maintain the segregation and federation of functional processes. A flexible and extensible data model that enables design of multi-disciplinary and integrated GRC ecosystems spanning a range of control and assurance processes is a must. MetricStream is witnessing the rapid adoption of its GRC platform – considered one of the most flexible GRC software systems in the industry – which is particularly critical in financial services given the complex and global organisation structures with multiple business lines. The platform contains several core functionalities such as a built-in reporting engine, a data integration engine, a workflow engine, an advanced security model and enhanced accessibility to facilitate the integration of GRC programmes.
Many organisations are beginning to realise the benefits of replacing legacy and first-generation systems with an integrated GRC platform that allows them to run different GRC processes – such as maintaining control libraries; qualitative risk assessments and quantitative modelling engines; issues; loss management; Sarbanes-Oxley; audits; analytics; action plans; regulatory intelligence tracking; and relationships with regulators – on one common but federated information model. For example, one of our customers – a large global financial institution – replaced separate data repositories with a common library for risks, controls, regulations, audits, key risk indicators and losses across all of its product lines, thereby enabling different groups to share and leverage information and data from across the enterprise.
Who needs to be involved with and lead a GRC programme?
Pike and Spencer: A key failure of organisations’ risk and compliance frameworks has been the lack of understanding of the causal relationships between different risk types. It is now understood that many risks are interrelated, and models that do not take this into account are fatally flawed. Increasingly, we see that control failures, risk events, policies, risk models and management issues are all part of a fluid network of risk that changes with the business. Each node in this network must be understood in the context of the other nodes surrounding it. GRC systems can enable managers to start mapping these relationships so they can be understood even if they cannot yet be accurately modelled. In order to do this, people who understand the various risk types and their possible relationships to others must be included in the GRC implementation project. The best person to lead a project is someone who can see across all of the functions – a chief operating officer, a chief governance officer or someone from their teams – rather than an individual from one of the assurance functions.
Ridgway: As a minimum, the programme needs to include the heads of each of the control functions – operational risk, audit, Sarbanes-Oxley, Statement on Auditing Standards No. 70, business continuity management, technology risk and compliance. We have also found an underlying working group is necessary. Strong leadership is essential. I don’t think it matters as to the title, but you definitely need someone who is senior, experienced and passionate about the issue, and has the ability to portray a vision. The programme needs to achieve buy-in or at least acceptance that GRC is required from the chief risk officer and chief financial officer. And they shouldn’t forget to include input from key external stakeholders such as regulators.
Kapoor: Today, the GRC process is no longer an ancillary process but a core element of business operations. It touches every aspect of the organisation. While the GRC programme should be designed centrally, it should be implemented in a federated manner with active involvement of lines of businesses.
The increasing cost of managing risk, regulatory compliance and audits in silos is prompting most financial institutions to deploy a federated model of GRC that is closely aligned with business strategy and facilitates decision-making. For instance, one of MetricStream’s customers – a large bank – has successfully completed a strategic risk management initiative that aims to integrate risk management into decision-making and drive a culture of business ownership, while simultaneously ensuring compliance with industry and company standards supported by the MetricStream GRC platform.
What are the key milestones a firm needs to plan for?
Pike and Spencer: The key milestones for such a project are defined by the main aim of the final system. One possible aim for a GRC project is to consolidate multiple assurance systems. In this context the milestones will include system installation; transfer completion from the original systems; user review of a functional match between old and new systems; full system test completion; user training; and cut-over of individual systems. Another aim is to provide integrated C-suite reporting, in which case the milestones will include all of those previously mentioned, and the definition of the reporting pack for senior executives; identification of all of the elements and calculations required for those reports; and completion of report production process testing.
Ridgway:From the project’s start, the firm needs to establish its priorities and objectives, and plan the project’s phasing. It needs to be clear on the various roles and responsibilities. Are the charters of the various control functions agreed between the teams? And what are the roles and responsibilities on the GRC project itself? You need to devise a common taxonomy – an agreed set of organisational processes, and risk and control structures that everyone is to use. Governance is important, both between the different control functions and across the GRC project.
How can firms avoid pitfalls, secure quick wins and retain interest in the long term?
Pike and Spencer: The key early wins must be achieved at the C-suite level. Many of those involved in GRC projects attempt to get everything right before they deliver reports to senior executives. Instead, reports on the key risks to the business should be first, even if the data supporting them is sparse and/or missing. This will show the executives the sort of information they can get. When they ask for details or drill-downs and are told it is a later deliverable, they will then help to force the project along. The focus on the key risks and scenarios, and how they are related to day-to-day information in the GRC system, is the best way to retain interest in the project for the long term.
Ridgway: It’s essential to have a clear articulation of what we are trying to achieve. We have to be clear about the benefits and costs, and not exaggerate them. So you need to be able to answer the question ‘what does the firm need and when?’ by saying ‘we needed to do certain things because it was critical to us’. You need to draw a very clear distinction between the GRC project and the supporting system. We have found too many people fall into the trap of thinking it’s all about the latter. You shouldn’t assume the control functions all understand what the others do and how they fit together. You need strong leadership and governance with dedicated supporting resources, and there has to be a credible vision with a detailed supporting plan.
What are the benefits of putting together an integrated GRC platform?
Kapoor: Banks operate in an environment marked by growing uncertainty and opportunity in business outlook, customer-centric regulations, stricter regulatory supervision and rising costs of services. There is also the increased probability of rogue trading, operational lapses, internal fraud and personnel issues. Restoring long-term confidence in the financial services industry will require more than just government intervention, fresh capital and updated regulations, it will need more organisational transparency and higher collaboration. Internally, most institutions are operating in silos with disconnected systems and low collaboration among business units. Risk, audits and compliance are also running as disparate programmes. Exploiting the synergy between them can enable better collaboration, transparency, insight, governance and performance. A fully integrated solution that includes a common informational model, common understanding of risk vocabulary and collaboration will provide maximum benefits for the organisation.
Click here to view the article in PDF format.