Think Governance, Risk and Compliance (GRC), and we immediately imagine numerous controls regulating an already overcomplicated business world. The GRC technology has matured greatly over the past decade, but the answers to my questions point to some interesting gaps in the GRC technology being used today.
Can this be simpler? I started on a journey to find out how banks approached these issues;
- How are banks approaching GRC?
- How far have banks gone in adopting analytics for GRC?
- How have banks integrated taxonomies into their framework?
Entangled in the Current State
In the aftermath of the financial crisis, and with the global economy stuck in second gear perpetually, banks started to lose their monopoly in the business. Fintechs entered the arena with a better customer experience, lower pricing, tailored products, and faster turnaround often under lax supervision. What followed was a maze of quick-fix regulations targeted at banks, added layers of controls, alongside expanded internal and external reviews. At the heart of this jigsaw puzzle is the GRC framework, often put together as a reaction to global regulation or as post-compliance failure remediation plans. The myriad systems that support GRC frequently produce backward-looking reports that satisfy only support of examinations and audits rather than forward-looking strategic decisions.
Banks operational risk models largely relied on historic loss data (internal as well as consortium data), and often myopic scenario planning. Senior managers thought that a tsunami could be predicted by observing superficial wave patterns forming tidal activity. In our context, the tidal activity observed were the USD 1M – 10M losses due to compliance failures; however, the different catalysts of such tidal activities leading up to a tsunami (incidents such as insider trading, fraud and misconduct) remained beyond the coast guards view. These incidents may not have common root causes.
As a result, some banks have taken up initiatives to simplify GRC, and to introduce forward-looking analytics that can help in risk-related decision-making.
GRC Simplification Survey
We asked the OCEG community of practice to give us their opinion, and here is what we learned:
Some respondents (about a fifth) have not used even a single risk taxonomy; whereas,the majorityof theorganizationssurveyed use multiple risk taxonomies. I observed that the areas that had common risk taxonomies are the ones where banks use enterprise systems, such as finance for organizational structure. Also, the correlation of governing documents to regulatory requirements is in progress with most organizations. However, a contrasting fact is that the areas of interaction with regulators like certifications, and operationalizing compliance with those requirements such as business rules is lagging. Some banks have upwards of a 1000 controls within their GRC framework, and duplication of effort remains evident. Only 10% of participants said they use forward-looking analytics — whether early warning systems or predictive analytics, leveraging Big Data. But, banks need smart data from Big Data in risk management, to look into root causes and insights. Here is a summary of the results from the survey.
Recommended Solution for GRC Simplification
The future of operational risk leverages harmonized frameworks and a simplified set of controls, to transform to predictive analytics. One of the foundational pillars of simplification is to harmonize taxonomies, that is, the GRC language at the bank. Banks have often used different taxonomies for operational risk, security, fraud, compliance, and so on, producing irreconcilable risk assessments. While security used an asset-based approach, operational risk used a process-based one. Additionally, several disparities in the way banks assess operational risk versus other risk types persist.
Embracing technology for GRC transformation
In the medium term, as core processes are digitized, we expect initiatives to simplify the GRC landscape and incorporate predictive analytics in preparing for a more agile and competitive bank of the future capable of staving off Fintech challenges. Current regulatory initiatives such as the Standardized Measurement Approach (SMA) by the Basel Committee necessitate banks to predict and contain operational losses, to derive capital benefit.
At present, organizations view operational risk as a set of discrete controls spread across the second line of defense, using a diverse skillset. Our view is that organizations need to transform their GRC program to achieve better, cheaper, and faster execution that generates the following business benefits:
- Cost optimization: Simplification, digitization, and automation result in reduced expenses and enhanced operational efficiency
- Enhanced competitiveness: Digitization to support and regulate the bank of the future instills greater agility to compete against disruptors
- Better decision making: Analytics-led early warning signals in loss detection, reconciliation, and so on, along with digitization of the core systems in the medium term, provides the organization with precious time to craft the best action plan in response
- Consistency: Removal of overlap in activities, controls, and responsibilities, legacy complexity and duplication of efforts generates real-time control intelligence through internal control automation and automated controls testing
- Real-time intelligence: Effective and efficient decision-making, real-time risk monitoring, and regular compliance and environment monitoring enable the application of policies and standards at the time of business process execution to prevent non-compliance or the acceptance of risk beyond tolerable thresholds, and also predict the impact of change
Based on specific needs, banks need to explore various options
- Use process modeling to achieve process simplification
- Implement straight through processing (STP) where applicable, to reduce overloads and eliminate bottlenecks
- Use analytics to detect process anomalies and streamline opportunities
- Explore automation possibilities for rule-based, repetitive processes including controls testing
- Use cognitive techniques like image, biometric, and voice recognition to simplify processes
- Use deep learning techniques to reduce false positives, and for decision support
Thus, the future of GRC accurately balances prudential requirements with optimization efforts within a compliant landscape.