Over the past two years, a new set of risks has confronted financial institutions, demanding the attention of operational risk managers. These are not the conventional risk types that were historically the mainstay of governance, risk and compliance (GRC) platforms, but rather the more complex and challenging consequences of the digital age.
The threat of cyber attack is clearly the most significant and concerning of these risks, as financial institutions around the world face up to the inevitability of cyber crime and the need to build stronger defences and recovery mechanisms. Additionally, as social media plays a more important role in corporate communications, the associated reputational risk must be managed, while the increasing volume of data generated by banks brings its own unique set of challenges.
Many GRC platforms had already been overhauled in recent years to deal with the demands of new regulations, but these IT-related risks have become the latest drivers of change, requiring vendors to adapt their technology and build the functionality to assess and manage new risk types.
"In the current regulatory environment, there is more and more need for consolidated reporting and comprehensive understanding of the risks to which an organisation is exposed. You need a GRC platform that brings everything together, taking inputs from across business lines to create an aggregated picture of risk and a decision-making aid at the executive level," says Piyush Pant, London-based vice-president for strategic markets at software vendor MetricStream.
MetricStream wins this year's award for GRC platform of the year, having maintained a rigorous and exclusive focus on the GRC sector; an attribute that helped it to outflank some of its larger competitors. With 350 customer installations globally, MetricStream serves multiple industries, but financial institutions make up the largest proportion – around 45% – of its client base. It has been growing its overall client base at a rate of roughly 40% per year.
"We are probably the only vendor that has remained consistently focused on GRC and that has allowed us to evolve our product more quickly to meet the demands of our clients. We have concentrated in recent years on expanding the content of the platform and building a community among users so that they can collectively drive the enhancements they need," says Pant.
While sophisticated technology tailored to the needs of users is naturally central to the success of any platform, clients can also derive considerable value from having access to a pool of reliable and relevant content – such as market intelligence or regulatory feeds – particularly when confronting newer types of risk and regulatory requirements. In March 2014, MetricStream created a cloud-based portal, GRCIntelligence.com, to aggregate and host this kind of content, sourced from an approved set of providers.
For banks, the combined effect of regulation and the emergence of new risk types is driving them to make more detailed assessments of their exposures, with a particular focus on cyber risk, while also re-evaluating their GRC frameworks to incorporate a greater focus on IT-related risks.
"In the past, there were often two distinct categories of risk management within large organisations – one would be at the enterprise level and the other would deal with low-level IT issues such as server attacks. As IT risks have become more serious in recent years, we see many large financial institutions merging these functions, with cyber risk and IT risk becoming an integral part of the GRC framework," says Pant.
That amalgamation of risk frameworks is driven by both regulatory and management pressure, as regulators demand a more joined-up approach to assessing and managing risk, while management pushes for a rationalisation of systems to reduce costs and enhance efficiency.
"Many banks and large financial institutions have historically used multiple systems to track different types of risk, creating a high cost of ownership. As they bring IT risk management into the GRC framework, they are reducing the number of systems they run," says Pant.
The type of platform required can vary significantly from one bank to another, with some larger banks undertaking global GRC programmes that span multiple business lines and require significant customisation. At the other end of the scale, some smaller banks might look to address specific pressure points more quickly, which could mean a more straightforward installation.
"GRC is an interesting sector because all banks need this kind of software in place, but they do it in different ways. Large global organisations might need support for thousands of users, numerous businesses and multiple languages, but smaller entities will typically use a cloud-based pre-packaged system that can be deployed much more rapidly," says Pant.
Either way, the ambitions are broadly similar: to streamline GRC processes, comply with new regulations and ensure the business is responding to new and existing risks in a joined-up and coherent manner. Achieving this is an area where Pant and his colleagues are eager to help.
The week on Risk.net, December 2–8, 2017Receive this by email