Risk and Compliance Imperative for Financial Institutions Date:   Thursday , September 08, 2011 Financial Institutions are facing ever increasing challenges in risk and compliance management. Rapid regulatory changes; changes in risk management principles, electronic banking and payment products; and increasing regulatory scrutiny result in bigger risks and compliance needs. An integrated approach can be adopted by financial institutions to manage the key constituents of governance, risk and compliance (GRC) programs. This integrated approach would help reduce overall business risks, ensure better compliance, reduce cost and also establish competitive advantage in the market place Financial Risk and Compliance Imperatives Banks and financial institutions are in the business of taking financial risks. The higher the risk they take, the larger the expected profits and returns. However, unbridled risk, without effective risk management can be disastrous for any bank or financial institution. Also, in recent times, the global financial services landscape has seen an increase in regulatory requirements, necessitating a greater focus on the way financial organizations manage their governance, risk and compliance initiatives. Some of the factors influencing the current financial services GRC environment and associated spend are: *Rapid regulatory changes: The financial crisis of 2008 has resulted in sweeping changes in the regulatory regime and the buildup of regulations over the recent past include Sarbanes-Oxley (SOX) Act, Basel II, Dodd-Frank Act, Data Privacy, Anti-Money Laundering (AML), BSA, PATRIOT Act, Volcker Rule, and more and financial institutions need to effectively manage compliance of these regulations. *Standardization of risk management principles: For example, BASEL II requires compliance by all banks to safeguard the interests of their customers and investors. *Expansion into emerging markets has brought about a new set of operating risks that financial institutions need to manage * Focus on Data Quality and Data Privacy has become top priority for financial institutions with the advent of electronic transactions and regulations like Know Your Customer (KYC), Data Privacy Act, and Data Retention. The challenging GRC environment brought about by the above factors means that decision makers within financial institutions have to grapple with two key issues. (1) Spend Issue: the manifold increase in regulations and risks over the last few years have led to GRC costs spiraling out of control and many financial institutions are faced with the daunting task of managing compliance to the ever increasing regulations while controlling cost. (2) Risk Issue: Historically financial institutions have tackled their regulatory compliance and risk management initiatives by deploying solutions that address a specific regulation. This ‘siloed’ approach has resulted in disparate and disconnected systems and duplication of efforts and controls that increases an organization’s risk exposure. To tackle the costs and associated risks it is an imperative for financial institutions to take a closer look at their risk and compliance goals and rethink initiatives to support these goals. Effective Risk and Compliance Management – An Integrated Approach The key objective of a GRC program is to enable stakeholders to make informed decisions by understanding the regulatory and compliance requirement while minimizing the associated regulatory and operational risks. Such a GRC program consists of four key constituents: *Regulatory Intelligence: offers awareness of regulatory changes and thereby helps financial services firms to understand how the changing regulatory environment impacts the organizations and influences business decisions. Examples of regulatory tracking are 1) Key legislation changes; 2) Federal and State regulatory changes; and 3) Regulatory news *Compliance Management: enables the conformance to regulatory guidelines from the various Federal and State regulatory authorities and facilitates the ongoing management of the compliance requirements faced by financial institutions. Examples of compliance requirements are: - Anti-Money Laundering (AML) and Fraud Detection - Know Your Customer (KYC) - Sarbanes-Oxley (SOX) Compliance - Frank-Dodd Act - Volcker Rule - Basel II *Risk Management: enables financial services firms to identify, assess, measure and monitor market, credit and operational risks. The key capabilities of efficient financial risk management are : - Gathering of all risk related data to facilitate assessment of risks - Risk assessment and controls - Risk remediation - Risk analytics and modeling - Risk reporting *Governance: is the process by which financial institutions create corporate policies based on internal and external regulations. This helps manage policies and procedures while ensuring accountability and communication of policies across the organization. The key elements of governance are: -Policy and Procedure Management -Policy documentation and reporting -Change management -Communication and training management Integration of GRC constituents to achieve value To achieve value through effective GRC management, financial institutions need to adopt a coordinated and cross-organizational approach to managing the various GRC constituents – regulatory intelligence, compliance management, risk management and governance. By taking an integrated GRC approach, effectiveness can be increased while the associated costs are reduced. Achieving an integrated GRC process means: *A holistic and consistent approach to implementing governance, risk and compliance initiatives *Effectively managing data acquisition and consumption * Improving collaboration and intelligence A holistic and integrated approach to implementing GRC initiatives Complete integration of all GRC processes is a gradual process and can be achieved by integrating technology, process and data across the organization. *Integration of Technology: using appropriate technologies is a key enabler for implementation of truly holistic GRC management. Some examples of holistic GRC management through technology are - Use of a common GRC platform to support multiple GRC processes - Integrated reporting across processes - Common dashboards and analytics across processes *Integration of GRC processes: Identification of regulatory requirements that require similar levels of controls to achieve compliance is the key factor to achieve integration at a process level. Once the requirements are identified a common compliance control process or a risk assessment strategy can be developed and implemented thus achieving integration at a process level. For example, Sarbanes-Oxley Act (SOX) and the Foreign Corrupt Practices Act (FCPA) are examples of regulations where synergies at the process level are possible. *Integration of GRC content: The typical financial institution has large amounts of data and information. This data and information is further complicated by duplication, redundancy and variety of formats. Content integration can be achieved by a two-step process : *Data acquisition and cleansing : involves extracting relevant content from various structured and unstructured sources and then cleansing the data using techniques like de-duplication and integrated quality control processes to generate the correct and complete content * Data consolidation for further consumption - consolidating the content in a single repository that is scalable, searchable and adaptable to a variety of content types Business Benefits and Conclusion An effective and holistic risk and compliance management approach results in many benefits for financial institutions: *Investor confidence brought about by effective governance facilitated by holistic approach to risk and compliance management. *Reduced Costs: Integrated governance, risk management, and compliance initiatives leads to significantly lower operating costs and eventually lower cost of capital. *Accelerated Business Performance: Interconnected and cohesive processes, supported by appropriate technology enables a financial institution to respond to regulatory changes and compliance requirements flexibly and efficiently and enables better operating performance. *Risk Reduction: The reduction of non-compliance risk and associated penalties including loss of reputation. In conclusion, financial institutions should believe that there is value in an integrated approach to managing governance, risk and compliance initiatives. This value can be derived by integrating technology, processes and content, managing data acquisition, consumption and distribution and improving collaboration and knowledge management. This holistic approach must be adopted by financial institutions to help all stakeholders collaborate effectively, reduce overall business risk, ensure better compliance, reduce costs and achieve competitive advantage in the market place. The author is Vice President - IT Services, Mindteck