Inclusive solutions for enterprise risk and compliance
Over the last several years, bank governance, risk and compliance (GRC) programs worldwide have been placed under increased scrutiny by regulators, elected officials and the public. The myriad of new regulations and requirements, primarily driven by the Basel III framework and regulations such as Dodd-Frank, have increased the complexity and costs to maintain regulatory compliance.
However, truly effective risk management should not be viewed as a reactionary exercise mandated by a new regulation or the impending review by some regulatory body. In fact, to achieve a truly effective GRC, an organization may need to change its culture to allow risk management to be considered a benefit to the organization and its clients. The ability to gain operational efficiencies from process improvement, as well as the reduction in losses attributed to errors and omissions and protecting an institution’s reputation, are just some examples of the many potential benefits that go beyond simple compliance with regulations.
People, Process and Platform
In order to respond to the new requirements, banks need to focus on implementing changes to their enterprise risk management approach and other aspects of their GRC programs. The implementation of new systems to manage GRC enterprise-wide is one such response. It needs to be noted that the ability to do this at a large institution is extremely challenging. These organizations are often comprised of distinct business units dispersed across the globe with a wide range of products, systems and clients. In order to manage a GRC program at a large institution holistically, it is important that the right investments are made in people, processes and a GRC platform suitable for the scale and complexity.
When planning for an appropriate replacement of a legacy system including various point solutions and spreadsheets, there are important aspects that must be considered. Any tool or platform must provide the ability to capture the organization from that holistic perspective, as risks may not be confined by a particular organization code or profit center, subsidiary or even national boundary. The solution must provide an ability to capture the unique organizational structure of the institution, since a particular risk may reside dispersed throughout an organization. It also must provide both the total risk and a unique perspective on risk, or view for each distinct line of business that may share that risk.
In order to truly understand the potential impact of risk to the organization the solution must provide the ability to track risks and their association with related objects, such as corporate and departmental policies to processes and sub-processes; operational processes and sub-processes to identified risks; identified risks to mitigating controls; and mitigating controls to observed issues.
The ability to track risks and their relationship to processes and controls is an important factor when considering risk assessment. The organization must not only define risks but also measure quantitative factors such as likelihood, impact and velocity in order to assess each risk and weigh them according to criticality. After all, risk projections and assumptions are only as valuable and relevant to the extent that they are accurate and reliable. The solution must provide the ability to assign custom scales for scoring and weighting for risk assessment; flexibility in creating factors, hierarchies, as well as, the risk scoring algorithm; and the ability to import external data and related information.
The financial crisis provides a glaring example of how a potential catastrophic impact was downplayed by many organizations due to the perceived low probability of likelihood. Organizations must have the ability to generate specific scales and algorithms that best matches their business profile and risk appetite, whilst satisfying the regulators.
Another important aspect concerning the management of the risk assessment process is to provide the organization with the ability to coordinate this assessment with other risk management activities:
- Ability to tie internal and external audits and compliance to risk assessments.
- Integrate control testing activities to assist in the validation of risk assessment.
- Provide tight integration of all modules to create the necessary holistic view.
Finally, the solution must generate sufficient metrics and reporting that provide risk managers, at all levels within an organization, the appropriate information suitable for their responsibilities. The metrics and reporting, similar to the risk assessment algorithms and factors, must provide flexibility and an ability to customize the delivery of information in order to maximize the usefulness.
In order to ensure a correct choice of solution, each organization must define their organizational hierarchy, understand the source and nature of their specific risks and determine the activities and objects that are associated with those risks. The growth and scale of regulatory and risk challenges being encountered by organizations is staggering, which demands the implementation of the right GRC solutions. Defining the all-inclusive risk landscape and embracing a holistic perspective on GRC are the key parameters that organizations need to consider for an appropriate solution.