Eliminate the weak links inyour GRC process

Traditionally-staid business news isincreasingly reading like the pagesfrom a high-drama Hollywoodscript, complete with plotlines of employeescircumventing security measures todefraud companies or making unauthorisedtrades that cause staggering financiallosses. Financial services executives, understandably,are redoubling their efforts toidentify gaps across the entire spectrum offinancial risk.
As seen in the most recent example ofa prominent European financial servicesfirm, a rogue trader is often able to causea serious loss if allowed to operate withoutadequate surveillance. The rogue trader inthis instance appears to have been able totrade without limit, cover his trades withfictitious trades in dummy accounts, andgenerally manipulate the internal systems.This presents the market with a numberof obvious concerns: the first showinginadequacies in risk management as thefinancial organisation was unsuccessful inlimiting and controlling risk within thefirm. Secondly, this situation identifies thefailure of operational risk and compliancesystems – both of which have as their focuscontrols over processes and adherence toregulatory and policy requirements. Lastly,the most apparent concern here centres ona lack of adequate surveillance and behaviourpattern detection, which would havenormally identified and prevented thesefraudulent activities.

Horizontal solutions lacking

No single software solution at the firm wasable to detect this activity as solutions developedin-house typically are focused on avery narrow scope of behaviour. In general,they are rules-based reporting engines (‘iftrader A’s position in a security is short byx amount, report it’), which do not detectpatterns of behaviour that occur outsidethe area they are focused on. A moresophisticated means of detecting behaviouracross the organisation is necessary.After careful review, many financialservices executives are coming to thestartling realisation that there are manypotential weak links across their business.Generic risk and compliance initiativesmiss critical elements that financial servicesinstitutions require to address theirindustry-specific risk behaviours, and tomonitor and enforce evolving compliancemandates. To mitigate exposure toloss, financial services institutions requirea broader and more industry-focusedgovernance, risk and compliance (GRC)strategy that features both risk assessmentand comprehensive behaviour detectionmechanisms, aligned with strictlyenforced policies that are ingrained inbusiness operations..

Use the right tools for the job

Many financial services institutions haveill-defined risk management and complianceinitiatives that leave blind spotsbetween departments, systems and operations.Similarly, many financial servicesinstitutions rely too heavily on generic GRCdirectives to address financial industry-specific threats that range from capitalmarkets trading abuse to bank money laundering.GRC, when implemented effectively,provides a framework to addressenterprise-wide risks, improve operationalperformance, and address industry specific Many financial services institutions haveill-defined risk management and complianceinitiatives that leave blind spotsbetween departments, systems and operations.Similarly, many financial servicesinstitutions rely too heavily on generic GRCdirectives to address financial industry-specific threats that range from capitalmarkets trading abuse to bank money laundering.GRC, when implemented effectively,provides a framework to addressenterprise-wide risks, improve operationalperformance, and address industry specific compliance mandates and potentially maliciousemployee activities.
Traditional risk and compliance solutionsare primarily designed to assess risk withinbusiness processes, and review regulatory andpolicy compliance requirements. A solutionthat guides well-meaning employees throughpolicy compliance processes addresses adistinctly different business requirementthan one that monitors for sophisticatedattacks – targeted internally and externally– to bypass these very systems.
In addition to exposing risk managementcontrol gaps, recent news of roguefinancial services employees manipulatinginternal systems to trade without limitspotlight the dangers of relying heavilyon such systems for both risk and fraudmonitoring – and how these systems lendthemselves to employee manipulation andgenerally do not correlate surveillanceacross departments or events. Segmentingbusiness functions also places the onus ofbehaviour detection and compliance monitoringon individual departments, whichcan limit business-wide visibility acrossoperations. Financial services institutionsrequire focused surveillance and behaviourpattern detection to identify and mitigateboth inter- and intra-department activitiesthat are potentially damaging.
In a banking environment, access toa clear, accurate view of business activitiesrequires transparency across multiplebusiness lines, customer accounts and theactivities of the employees who managethese accounts. By establishing businesslevelinsight across entire transaction processes,financial services institutions gainimportant visibility to detect and correlatesuspicious patterns in seemingly innocuousevents – including components of creditcard activity, payment processing and loanactivities. Financial services institutionsthat track the complete transaction lifecycle– including flow of funds, employee dealingsand changes to transaction systems– are well positioned to identify suspiciousbehaviours as they happen.
In a trading environment, the bulk ofinternal software development effort isgeared toward front-office trading andorder management systems. Sometimes asolution is developed for a particular desk.In general, there are gaps in consolidationof information across trading systems, especiallyin terms of oversight. Employees aregenerally aware of these gaps. In the caseof the recent incident of employee fraudat a prominent European financial servicesinstitution, the rogue trader definitely seems to have understood the gaps and wasable to exploit them.This situation points out the absolutenecessity for an independent compliancemonitoring system that can detectsuspicious or irregular activity among alltrades and orders in the organisation. Thissingles out the danger of using in-housesystems for compliance monitoring – theylend themselves to more manipulationby unscrupulous employees. Lastly, thereis an ongoing need for operation risk tobe more closely monitored and enforcedwithin financial services.An independent trading compliancesoftware solution can benefit a financialservices institution in the following ways:

• It allows surveillance of all trades andorders within the organisation.
• It identifies sophisticated behaviourpatterns that cannot be detected by inhouserules-based systems.
• It provides indications on firm andcustomer positions on an almost realtimebasis, enabling activity that is outof the norm to be identified quickly.
• It works across multiple trading desks,financial products, exchanges and timezones.
• It increases the ability to handle therapidly changing world of regulatoryrequirements.
• Compliance personnel can have alerts tosuspicious behaviour sent to them on asingle platform instead of spending timepiecing together disparate data sources.

A third-party perspective toidentify suspicious activities

Independent financial audits are commonplacein business because they providethird-party reviews of financial information.Similarly, an independent behaviourdetection system – a system that isdeployed and monitored separately fromrisk management and internal compliancesolutions – provides an additional level ofintegrity to risk identification processesbecause it is not susceptible to exploitationby unscrupulous employees.
Technology alone, however, will notraise an organisation’s risk managementbenchmarks. Financial services institutionsmust align specific applicationswith specialised staff to monitor forirregular business activities effectively.Compliance departments, by definition,provide important checks and balances forcompany financial activities, and inherentlyact independently from the rest ofan organisation. Compliance teams, forexample, may conduct careful review ofaccess rights and password control.
Audit or compliance employees typicallyalso have a broad purview of businessoperations, and teams are trained toidentify suspicious activity patterns acrossdepartments. Technology provides internalcompliance and audit staff with the essentialdata for effective behaviour monitoringapplications. It is the internal staff, however,that understands the financial servicesinstitution’s culture and provides the addedhuman intelligence and insight required togain significant value from surveillance andmonitoring applications.

Internal checks and balances

Another potential weakness point for manyGRC initiatives is the absence of disciplinedand clearly defined alert detectionand management policies at the departmentand business levels. These policies mustlimit the number of individuals who areprivy to suspicious behaviour investigationsand simultaneously ensure that appropriatedepartment managers and senior executiveshave real-time access to potential employeeabuse activities. A structured ‘decision tree’process tracks and categorises potentialthreats. This process aligns focused subjectmatterexperts with specific behaviour andcompliance monitoring technologies – thuslimiting who is involved in the process andwho has access to alert information.
Failure to document and track suspectedactivities – even if they appear benignupon cursory review – might prevent theidentification of subtle malicious behaviourpatterns. A focused internal reviewsystem that incorporates departmentbasedinsight and company-wide surveillanceis also essential in detecting risk. Amulti-tiered review system has first-linecompliance staff review an alert, then asecond-line compliance manager reviewsinitial staff findings and recommendations.Once an alert has been managedthrough the decision-tree process, a thirdlinecompliance officer or chief complianceofficer makes a final decision.There is no single, simple answer tomitigating malicious employee activities.Financial services institutions must carefullyalign policies and technologies acrossall departments, and maintain the flexibilityto defend against increasingly sophisticated– and potentially harmful – employeeactivities. To prevent new tools from exposingan organisation to risk, businesses mustapply vigilance to a system that combinesdisciplined policies, a culture of checks andbalances, and tools to detect and preventabuse across entire transaction processes.

box: Author background
S Ramakrishnan is a 25-yearfinance and technology veteranwith recognised expertise buildingsystems and implementing analytictools for large financial institutions.Ramakrishnan is chief executiveofficer of Reveleus and Mantas,which are both product offeringsof i-flex solutions. i-flex solutions,majority owned by Oracle, is a worldleader in providing IT solutions tothe financial services industry, withmore than 810 customers in over130 countries.

About Reveleus & Mantas
i-flex’s analytical applications offeringfor financial services comprisesan integrated suite of award-winningsolutions – Oracle’s Reveleusand Oracle’s Mantas – that helpfinancial institutions maximiseprofitability, minimise risks anddeliver enterprise-wide compliance.The GRC framework for financialservices brings together Reveleus’unrivalled expertise in risk managementsolutions, with Mantas’industry-leading behaviour detectiontechnology – both deeply rooted inthe financial services industry. Thiscombination helps financial servicesgauge the effectiveness of governancepolicies, manage businessrisks, and future-proof complianceexpenditure across various regulatorymandates. Oracle’s Reveleuswas ranked the Number 1 GRCsoftware in the recently publishedOpRisk&Compliance 2008 ComplianceSoftware Rankings.For more information, please visit:Iflexsolutions.com

Sponsored content