GRC Survey 2015 – Gaps in risk and compliance processes expose banks to further risks

Multi-billion-dollar fines levied on global banks for compliance breaches and control failures have made headlines the world over ever since the onset of the financial crisis. Some of these contraventions were egregious, others were merely careless. Collectively, many of these fines could have been prevented if the three lines of defence were co-ordinating their risk, compliance and internal audit processes at a holistic, enterprise level. A governance, risk and compliance (GRC) platform enables organisations to achieve this goal.

We surveyed key decision-makers across a range of job functions – including risk managers, compliance officers and internal auditors – to ascertain how they perceived GRC within their respective organisations.

GRC is a discipline that identifies synergies in information and activity across corporate governance, risk management and regulatory and internal compliance in order to create effective risk and compliance processes. These processes – if implemented effectively – enable organisations to maximise shareholder value through a better understanding of the risk a bank is exposed to, enhancing the control environment of these risks and reducing non-compliance issues.

As financial services organisations grow and mature, co-ordinated GRC initiatives are required. GRC processes, while achieving different objectives across the independent three lines of defence, are interconnected and rely heavily on people, processes, technology and information. Having connected oversight of each business segment helps to mitigate risks and reduce compliance breaches, thus avoiding potential reputational damage and financial losses. Using a common technology platform eases the burden of oversight and reporting for all lines of defence.

To take a simple example, adopting a GRC system can turn the burden of collating information for risk and regulatory reporting into a seamless exercise, freeing up the time for risk and compliance managers to fine-tune risk tolerances and department heads to increase business.

The most striking finding in our survey was that more than one-third of all respondents perceived regulatory, reputational and operational risk to be their number one concern. These are risk categories where an integrated GRC approach is normally deployed in mature organisations.

Drilling down into risks by country we can see that in developed countries such as Australia, Hong Kong and Singapore, regulatory risk is the biggest concern. This contrasts with Indonesia, where more respondents are concerned about operational risk, and Thailand, where the biggest worry is credit risk.

Matthew Sullivan, general manager at Wolters Kluwer, notes: “compliance with regulation is something that firms are right to consider a high priority and co-ordination across business lines is key to meeting regulators’ demands.”

Our survey revealed varying degrees of preparedness to deal with regulatory risk. As could be expected, in developed markets where regulatory pressure has been greater for longer, banks are generally more advanced in their GRC frameworks than those in developing markets, with a higher percentage of respondents saying they are “well prepared.” Overall, nearly 90% of those polled said they were “prepared” or “well prepared” to comply with current and emerging rules and regulations, though Sullivan observed there could be a degree of complacency indicated by the survey responses, compared to the reality that these banks find themselves dealing with.

“The vast majority of respondents say they are ready to comply with regulations, but there is a disconnect between this perception and what we read in the newspapers and what regulators believe. Organisations need to stay firmly on top of their systems and processes to ensure they are not caught off guard.”

Despite this, there are encouraging signs that organisations are keen to be as efficient as possible with the roll-out of their GRC programmes, with the majority of respondents stating that automation of GRC processes is important.

 

 

  


  
The Philippines, in particular, stands out as a country in which manual processes are prevalent and where 57% agree with the need to achieve efficiency gains through automation. “Other countries in South-east Asia, such as Malaysia and Indonesia, have started the automation process, whereas the Philippines is further behind the curve, but it’s never too late to catch up,” says Sullivan.

Reflecting on their current GRC technology, 83% of those polled responded that it is “adequate” or “good”. In developing markets, banks are generally less confident in their GRC technology, as is shown by the higher percentage who answered “adequate” relative to “good”. These results are indicative of risk and compliance organisations’ initial attempts to implement stand-alone solutions to manage their GRC.

Furthermore, around 25% of respondents do not believe their current GRC technology is sufficient to meet their needs. Again, what stands out is the paradox that, while the vast majority of respondents say their GRC technology is “adequate” or “good”, another 25% say it is not sufficient to meet their needs.

“Respondents generally believe they have an adequate system in place, but the system isn’t sufficient to meet their needs,” says Sullivan. “Technology is in place, but doesn’t appear to be meeting the goal due to a lack of automation.”

   

In terms of how the GRC platform is developed, nearly half (46.2%) of respondents have an in-house developed model, while 25% use a third-party solution and a significant number (17%) are still using manual processes such as Excel spreadsheets. Sullivan comments, “In-house-developed systems are doing their job as defined by the user, but they cannot do everything that specialist solutions can, and typically are not integrated across the three lines of defence.”

Indeed, using the latest technology helps to maintain high levels of efficiency and can future-proof a business against big leaps in technology innovation. With reputational risk scoring highly among respondents, any step that preserves a company’s good name should be a priority.

When it comes to budgets and spending goals, Australia, Hong Kong and the Philippines intend to invest aggressively, spending between 10% and 25% more this year. Without doubt, regulatory pressure will drive the need for banks to be more GRC-efficient and, therefore, increase spending. Australia, for example, recently mandated that financial institutions comply with CPS 220 risk management standards without exemption, including a requirement for the bank’s board to sign off on its risk management framework every year. This contrasts with Thailand, where the regulators are not actively pushing banks to implement GRC, and our survey bears out the lower regulatory emphasis on GRC with lower forecasted spending budgets.

Of concern is that, with regulatory pressure, GRC budgets are seen as a barrier. One-fifth of respondents said they have no automation in place due to insufficient financial resources. This should not, however, hold back the planning and future budgeting for resources in this area. But, even where budgets are in place, there are still obstacles to making a GRC system a reality. “Nearly 30% of respondents told us that risk, compliance and internal audit functions are generally using inconsistent methodologies to assess risks and controls, so to assign ownership and integrate these functions is a big challenge,” noted Sullivan.

Internal disagreement about ownership of a GRC solution is another issue. In developed markets risk managers taking ownership of GRC is more common than in emerging markets. Insufficient support from senior management was also cited by a number of respondents. This point goes to the heart of governance and demonstrates why firms need strong leadership from the top down to instil an enterprise-wide risk culture.

But, if these obstacles can be overcome – the ability to automate key compliance workflows, detect risk policy breaches and streamline response decisions, allowing risk management to take place in real time – it will free up time for risk managers to be ahead of the curve and keep their organisations out of the headlines.

Call to action
• Align people, processes and technology to achieve synergies across the three lines of defence.
• Assess how automation will help the organisation to streamline risk and compliance processes by reducing duplication of efforts and aligning internal processes and methodologies.
• Obtain senior management support and pool budgets and resources across the organisation, with the aim to implement coherent GRC processes.

Download/read the article in PDF format

Sponsored content