This is said that by 2025, there would be fundamental differences in the risk functions pertaining to banking and financial sector in comparison to today and we could see enormous transformation in next 10 years than the last few decades. This is not only due to technology advancements, but majorly driven by threats posed by the technology adoption at large scale and regulation pushed to protect the end customers’ interest caused due to cyber threats & inappropriate business practices.
“A siloed approach towards risk & compliance may turn up fatal for organization as it goes hand-in-hand with business processes to achieve the end results on investments”
Ensuring compliance & managing risks are becoming a part of the business goals and non-negotiated component of corporate strategy. The speed and complexity of regulatory changes require the industry to react faster ensuring zero error while adopting technology to upgrade the customer experience ensuring end to end security. Organization have to deal with growing threats due to non-financial risks (risks other than market risk associated with financial instruments) to remain in business of ‘going concern’. There are losses as big as hefty fines, litigation expenses due to compliance lapses, and loss of reputation as an indirect loss. The risks today are not limited to any particular function or department and that is why we need enterprise wide solutions.
After the banking crisis, the cost of regulatory compliance has gone up significantly. This came from increased investment in technology along with training and deploying additional staff to tackle the compliance. Increased compliance would push the financial industry to adopt an evolving technology framework, in which easy software/firmware upgrades can be done at a low cost with minimum efforts and time. Transaction monitoring, logs generation, reconciliation, regulatory reporting, risk management, identity & access management are the key areas where regulators have started asking access & control and that requires banking & financial institutions to implement transparent system with open & real time access of data & insights related to it. This framework addresses the need for today and prepares the organization for future regulatory compliances.
Effective GRC policies: Core of business growth agenda
With the businesses spreading across geographies, as part of their growth objective, it is imperative for them to comply with evolving set of rules and regulations where each step toward growth must be carefully evaluated and examined to ensure compliance and minimize risk. Having a static approach in an environment where we see different industry standards in different geographies, would limit the business viability and affect the profits. Inherently all business functions which run on IT-enabled solutions follow some sort of rules and regulations laid down by enterprise, and that sets the tone for bigger compliance at an industry level.
The idea is, to identify risks at each level of business process and deploy the systems which are interactive, real time, comprehensive, and scalable enough to meet existing regulatory needs and can easily be transformed to fulfil future needs.
Technology has been engine for most of the financial services and products and it has pushed the fundamental need for security & reliability, exposing companies and financial services customers to the inherent risks. While facing the pressure from regulatory bodies and economic volatility, banking and financial services organization are transforming the risk and compliance functions through an enterprise-wide framework. The major risk areas are –
- IT governance & strategy
- IT infrastructure
- Information security
- IT disaster recovery
- Data analysis & management
The regular IT audit, assurance, and certification services are required to manage and mitigate any risk proactively. Effective data privacy policies and procedures are required to ensure the compliance with legislation. Information security system must be established to control and safeguard secure information. It takes seconds to become a breaking news, after a cyberattack on banking and financial institutions, and the potential damage is huge. The ineffective network security systems may incur data thefts and long downtimes. A 360-degree approach towards risk & compliance can be best implemented by having holistic GRC policies in business agenda. Let us see why an integrated view is required.
An integrated approach towards compliance. Why?
During the introduction of regulations, the common reaction from banks and financial services organizations have been to identify, develop, and purchase point solutions to manage compliance. As the regulations revised or revisited over the years, the duplicity of compliance processes and documentation occurred. Organizations lacked the integrated view, resulting cost and uniform view across compliances. This pushed them to step back and rethink over their GRC needs and requirements, putting a long-term strategy in place to meet the future GRC needs along with re-architecting the processes. Another pressure is coming from increased risk exposure from multi-technology, multilocation, multi-partner technology ecosystem. These risks pose higher challenges as there is lack of flow of information between systems that are located at different places, running on different technology base.
There have been multiple occasions, where banks & financial institutions have paid significant penalties in terms of money and other resources. More to it, officers got jailed and brand value got diluted. In easy words, banks & FS organizations can’t afford a regulatory mistake today.
There has been a gradual shift in compliance priorities in last 10 years, seeing the alignment in strategic focus of institutions and regulations protecting the interest of end customers. Consider an example of Sarbanes–Oxley (Public Company Accounting Reform and Investor Protection Act), where companies are losing focus seeing minor changes in the act in last few years and gaining focus over acts like anti-money laundering (AML) and protection over loss of reputation to protect the interest of customers & companies both (source: MetricStream whitepaper on GRC). Due to generic nature of processes and operations, FS companies use to address the compliance issues with siloed approach. Risk & compliance issues are addressed by different units using different approach, in an uncoordinated manner in the time where there is a lot of interdependency & controls, shared across the organization. This leads to duplication of efforts and cost implications to control the compliance issue.
To avoid interruptions & maximize business performance, GRC initiatives must be designed to help organization avoid major disasters and minimize the impact when avoidance is unlikely.
To manage the compliance issues using an integrated approach and executing multiple GRC plans in parallel, companies need to adopt a structured approach to enhance the compliance effectiveness and reduce the cost & effort. Also, it will enable a coordinated approach to risk assessment and management. As per recent report from Forrester, “The driving factors for adopting a structured approach towards effective governance, risk, and compliance (GRC) are Business complexity, along with increased regulatory and market scrutiny. The objective is to effectively define, manage, and monitor the external and internal business environments.”
Business v/s IT view on GRC –
Earlier GRC has an independent view and not aligned to corporate strategy or business goals, but as the challenges evolved and technology has taken a central place in all business decisions to drive profits, GRC became a part of the business growth agenda. Certain areas that are still need to be explored as far as business perspective is concerned are as mentioned below –
- Is it good to have a centralized GRC policy driven by a centralized platform or individual department should have the reigns for GRC?
- Are the users/employees spread across geographies must be given access & regulate GRC policies at their end or they must check, validate, and update at central level?
- What are the business level pre-requisites for installing or implementing effective GRC policies at central level?
- Can business control all transactions or data real time through integrated GRC approach?
- What are key parameters to consider, while onboarding a technology service provider to implement a structured GRC approach & solution for organizations?
- What are the checks and balances to see whether we are on right track or not?
- Are there any next-gen technologies and capabilities required to envision?
Let us see the IT perspective & concerns on this –
- What are the key risk and compliances that are required to be addressed by IT as a business stakeholder?
- Is there any central platform where users located in different geographies can access, manage, review, and evaluate risk and compliance information?
- How IT automation or next-gen technology can help the organization to ease out risk identification & compliance implementation?
- Is the organization equipped enough to adopt integrated GRC policies in terms of human resource availability and infrastructure, to monitor, assesses, and pivot?
As banks and financial service providers are moving from core services like insurance, accounting, credit, investment, and cash management services to non-banking ecosystem, like mobility services, business process outsourcing, health services, and stock management, the need for an integrated GRC has become a critical component of business sustainability plan. Not only business sustainability, but also to avoid fines and settlements. According to a research report from McKinsey & Company, regulatory fees have been increased dramatically, relative to banks’ earnings and credit losses since 2009, which was 45X in 2014.
Per a Market Insight 2018 report from Everest, there are six disruptive trends in the risk and compliance landscape that are shaping up the industry.
A right compliance technology!
The traditional model for compliance was designed in different time and ecosystem, addressing different needs. Its inclination toward legal arm of organization, also focusses on actual risk identification as it happens, and drafting a compliance policy for the same. Certainly this has evolved with time, by converting the regulatory requirements into management actions. But, this also lacked the integrated approach for the organization, and hence technology took the space. An emerging model in banking & FS developed which primarily relied on three principles –
- Increased focus on risk & compliance is not only bringing down the cost of regulatory fines and increasing customer trust, but also bringing the competitive advantage.
- Next-gen technologies, like AI & Big Data, are acting as catalysts to build this competitive advantage.
- With the rise of regulations related to technology, banks are being pushed to expose data & services to external environment through technologies like APIs, which in turn pushing for adoption of Cloud, IoT & Cybersecurity
- The circumference of risk is increasing, due to shift in ecosystem under which banks & financial service organizations are operating like cyber threats & chatbot ethics
- Due to advent of regulations, supporting technology, and service providers; regulatory technology (RegTech) ecosystem is picking up and gaining massive growth.
- Technology, on one hand has open new doors of revenue & growth, on the other hand it has brought serious threats to business and cybersecurity as top priority in business agenda.
- Developing robust risk identification & assessment framework.
- Developing a control system which can identify all the risks and controls - tying the risk & compliance to each business process and setting up key risk indicators.
- Setting up an integrated approach with the help of technology which can help identify, collect, report, and act faster.
But how to choose the right technology?
None of the technologies available today can solve the issue and help organization meet the goal individually. This necessitates the role of technology service provider who can create a holistic plan and integrate multiple components dispersed. There are steps which may help you choose right technology with service provider –
Next-gen technologies, like artificial intelligence, blockchain, robotic process automation, NLP, cloud native services, and machine learning (ML) are playing bigger role in compliance landscape. There are connected infrastructure points and integrated data views available to transform enterprise risk management, which can help business and its compliance function to better predict trends, report anomalies, and avoid crisis proactively.
A company in banking in FS sector must identify the areas which need significant control over risks management and compliance with a buy in from leadership & business unit heads.
Below are the five steps which may help–
- List down the areas which need focus and are significant to business sustainability and solution mapping.
- Identify a vendor which fits in overall solution area and can provide outcome-based results.
- Onboard business stakeholders & get other resources ready.
- Create a step-wise makeover plan for replacing age-old legacy infrastructure.
- Train & deploy right people on right assignments, measure outcome, & pivot.
Today, RegTech is a buzzword in the banking and FS industry. This is a universe now, where multiple technology providers are offering multiple solutions in GRC landscape.
The RegTech space offers advance solutions to the ever increasing demand of compliance with in financial industry which majorly covers regulatory reporting, risk management, identity management & control, compliance, and transaction monitoring. All of these are delivered through the combination of next-gen technologies available today like Cloud, IoT, Automation driven by AI, Machine Learning, and Cybersecurity etc. As regulations are scaling day by day, organization which have complex set of operations need to find efficient ways to comply. And this is where RegTech becomes more important, helping businesses to get themselves organized with their compliance requirements, and develop systems to deal with future requirements. RegTech touches three elements of organization primarily, regulation, people, and data and combination of all three creates a culture of compliance with the help of technology. This differs from regular solutions and provides pay-per-use service, with algorithms and rule-based systems, which are put in use to remove manual work in spreadsheets.
RegTech, in nutshell, helps organizations assess or identify compliance issues quickly, with fast implementation with minimal aberrations from people and technology.
The role played by compliance analytics can’t be ignored in establishing an effective system for GRC. Unlike risk assessment which is purely backward thinking data, compliance analytics works in all dimensions, predictive, prescriptive, and diagnostic analytics and provides rich insights from compliance perspective to all stakeholders.
Key business benefits-
Integrated GRC policies are implemented at department or business unit level, but business benefits are reaped at an enterprise level.
- Ensuring effective GRC in place, confirms safety of brand reputation, confidence of shareholders, and trust of end customers.
- With transparency in system, business can take initiatives with optimal risk-reward outcomes.
- With an integrated GRC system, businesses can save huge cost on regulatory compliance, avoiding hefty fines.
- Streamlined business process through GRC, helps to keep data quality at par and relevant information accessible to concerned stakeholders in a matter of click, and thus smoothening business decision making.
The way ahead for risk & compliance, especially for banking and FS organizations is clear & smog-free, depends a non-negotiated consideration of integrated GRC policies as part of corporate strategy. They need to bring this culture to get a competitive edge over their peers.