Home / Banking Strategies / Five best practices to innovate and simplify governance, risk and compliance

Five best practices to innovate and simplify governance, risk and compliance

Depending on the tenor of the times, navigating the financial services landscape gives rise to far more challenging questions than comforting answers. Such as: Who can truly stay on top of institutional compliance between the changing political landscape, new or changing banking regulations, and ongoing program management? And: If maintenance remains a concern, what happens when much-needed innovation takes a backseat—leaving financial institutions with outdated practices plus multiple documents and processes in play?

The solution to both problems—how to streamline ongoing maintenance while up leveling risk management—is surprisingly simple. Technology and these five key best practices can truly transform your institution’s governance, risk and compliance efforts into something manageable, comprehensive, strategic—and most importantly, effective.

1. Take an enterprise view

The concept of governance, risk and compliance management (GRC) is nothing new. Ever since the start of banking regulations, financial institutions have needed to comply to continue doing business. Over time, GRC management has grown to include multiple aspects of a financial institution’s business, including:

  • compliance
  • risk
  • business continuity
  • audit
  • third-party risk management
  • incident management
  • operational risk

Typically, different teams manage all these components separately. To garner insight into multiple areas of compliance practices, financial institutions often use a hybrid of technologies: spreadsheets, emails, documents and shared drives and files.

While this approach exemplifies one way of getting the work done, it’s imperative to instead take an enterprise view of compliance and risk management. Otherwise, risks can pop up between the gaps in these business silos. For this reason, many documents across many technologies may fail to prevent these risks, let alone pave an efficient path.

2. Leverage data effectively

Even with an enterprise-level view, you’ll need data to support conclusions. If you don’t leverage data effectively, it becomes hard to interpret risks and capitalize on opportunities. Multiple documents and technologies create headaches in analyzing data—yet having such data is critical to innovating GRC efforts in the modern age. The data doesn’t lie; rather, it tells the story.

A financial institution that protects data only through a software security solution represents one example of risk in this area. Ways to properly manage risk in this area include: consistently inventorying all software and solutions, conducting vulnerability scans and testing controls. These initiatives will help prevent a breach that could increase reputational risks down the road.

3. Foster greater internal collaboration

Fostering cross-department collaboration can be tricky in any organization. But this becomes especially important for financial institutions when it comes to governance, risk and compliance. Institutions that prioritize the breaking down of organizational silos will see the benefits reflected in a better risk management and compliance program overall. Greater internal collaboration significantly improves:

  • engagement of multiple areas for risk assessments
  • incident management
  • fraud prevention and control
  • policy review

When a financial institution develops a new policy, consider the impact on IT, training, HR and legal. All these areas will look at the document and they all will have edits. How does an institution collate the feedback, manage it and then disperse it again? To cut down on the “back and forth,” an institution should invest in a GRC technology that comes with a collaboration component.

This makes the process easier to manage rather than taking a manual approach—and creates efficiencies, cuts time, boosts collaboration and provides a central repository to archive policy versions.

4. Properly map risks with controls

The best defense against gaps in your governance, risk, and compliance program comes down to properly mapping every risk with a control.

While it’s easy to identify risk pegging the proper control to go along with it is another matter. Still, every risk needs a control and every control needs a test. If not, you have a gap and may need to assess whether you want to accept the risk.

Below is an example of how to map risks with controls:

Risk: Individuals (such as tellers, lending officers, etc.) have access to sensitive information such as account and Social Security numbers.


  • Properly identify individuals who handle sensitive data, and make sure there are no reputational risks.
  • Conduct background checks on all new employees.
  • Ensure employees do not have exposure to an excess of information either through security or facility protocols.
  • Develop dual control policies and procedures.
  • Create separation of control procedures.
  • Check that email and other technologies aren’t vulnerable to data theft.
  • Prohibit smartphones/camera technology on the floor.

Ideally, an institution would conduct this exercise for every risk they identify in their business.

5. Integrate technology for ease and innovation

Technology marks the best way to implement and streamline the best practices outlined above. Besides making daily management of GRC easier, technology can spark innovation in two other areas of institutional compliance: third-party risk management and process automation.

Specific to third-party risk management (a large part of what banks need to do from a regulatory standpoint), institutions must obtain sources of evidence to demonstrate proper management of the partner or vendor. Technology systems can be set up automatically to ask for certain documents that need annual maintenance, such as:

  • SOC1 (Service Organization Controls Report)
  • review of contract
  • onsite review of vendor
  • complaint management
  • vendor risk assessment

Once a risk is mapped and assigned a control that is successively tested, check afterward for any residual risk.

Putting it all together: The imperative to improve

The bigger the financial institution, the bigger the business; the bigger the business, the more third-party vendors and partners—and thus more regulatory scrutiny. For this reason, institutions have an imperative to implement technology platforms to break down organizational silos and provide greater visibility into the business. Truly, the view from the proper platform helps banks see the big picture. 

Want more Banking Strategies? Sign up for our free newsletter!

Kevin Malicki is director, product management, Governance/Risk/Compliance at Harland Clarke.

For more articles like this, check out our recent Executive Report: Compliance: Beyond regulations