Integrated GRC in Banks and Financial Services Companies: Improving visibility and Management of Risks & Controls

Leverage the platform based approach to streamline enterprise wide GRC programs

During the past few years, the global finance industry has seen an unprecedented surge in regulatory requirements, forcing a greater focus on the way organizations manage risk, especially financial risk. Regulators and credit rating agencies are demanding more transparency. At the same time, stakeholders and senior management are pressing for enhanced business value. Most firms have typically created fragmented and silo-based risk management and control programs. These siloed risk management programs are, however, not scalable; the technology supporting them is insufficient; and they do not merge into a common framework.

Recognizing the virtues of centralized GRC models, several forward-thinking institutions have already launched convergence efforts - integrating management of risk, compliance and control processes. The transition from traditional silo-focused systems to a holistic approach has plentiful benefits – streamlined risk and control programs; reduced input of time and resources; eased burden of corporate control units, such as internal auditors, compliance managers, and risk managers; and enabled multi-dimensional risk information for business intelligence. The endeavor, however, requires a well-communicated vision with clear roles and responsibilities. Need of the hour is a GRC solution that provides a clear, and unambiguous process for Governance, Risk and Compliance; and delivers a single point of reference for the organization to carry out these distinct yet entwined processes. Such solution is expected to synergize risk and compliance process leading to reduced cost and higher efficiency.

According to a survey, worldwide, GRC-related technology and services spending is expected to increase by more than 7% in 2008. The report, which surveyed 420 companies in the U.S., Germany and Japan, holds that demand for GRC services and consultants will rise nearly 22% as companies look for outside help in crafting their risk management strategies.

MetricStream offers industry’s most advanced and comprehensive solution designed to meet the GRC needs of the financial services department. The solution is based on an integrated ‘Enterprise Compliance Platform’ (ECP) for successfully managing risk, and meeting regulatory requirements while lowering the associated costs. ECP, a proven infrastructure for building GRC application, provides the core services to automate and streamline the GRC processes.

This paper describes the challenges faced by the financial services and banking industry while managing Governance, Risk, and Compliance separately. It details out GRC tools and strategies, and finally discusses how MetricStream addresses some of these core issues.

Challenges

Risk Tools and Methods Various tools and techniques can be used for managing risk. The following are some examples: Risk Maps: Summary charts and diagrams that help organizations identify, discuss, understand and address risks including financial risks by portraying sources and types of risks and disciplines involved/ needed; Dashboards: Summary information in a graphical format using various charts, gauges, and maps; signaling various levels of performance; Modeling Tools: Scenario analysis and forecasting models to show the range of possibilities and to build scenarios into contingency plans; Workshops, Questionnaires, and Self -Assessment to identify and assess risks; and Training Programs to promote risk awareness and management by sharing information internally and externally.

The operational environment for today’s financial services companies has never been more challenging. Companies are grappling with regulatory compliance requirements, market volatility, economic downturn, and industry consolidation as they face pressure to drive revenues and increase efficiency. Companies constantly look for better ways to manage and monitor compliance and controls process across the enterprise, eliminating any deviations and errors as well as redundant activities. Despite the growth of various technologies, finance managers continue to face challenges discussed below:

• “Compliance Fatigue” with ever increasing regulation: Regulatory compliance is a key challenge for financial services industry, with numerous standards and regulations governing nearly all aspects of the businesses. Benchmarking against best industry practices like Federal Board Directives, GLBA, etc has become a norm. Apart from regulations like SOX, Basel II, AML or US PATRIOT Act, financial services companies now need to turn their attention to MiFID (Markets in Financial Instruments Directive) in Europe and NMS (National Market System) in the US; leading to extreme ‘Compliance Fatigue’ among the finance compliance managers.
• Data Challenge: Responsible entities must define methods, processes, and procedures for securing timeliness and accuracy of info being used for tools like credit scoring, stress-testing and economic capital. As the operational scenario has become increasingly complex in the financial industry, the need for a robust data infrastructure to gather and process risk information is becoming more pressing than ever before.
• Risk Analytics: An accurate overall risk analysis must incorporate different types of risk (market, credit, operational); and must bring together risks across different business lines (banking, insurance, securities). Although the broad risk concept applied within and across these dimensions are similar, the details differ considerably. This makes simple “bottom-up” aggregation approaches difficult to implement. These differences present a challenge for calculating consolidated risk exposures that span several risk types.
• Compliance Reporting and Real-time alerts: Most global organizations have managed financial compliance reporting in discrete categories-by geography, business unit, or business function; resulting in lack of visibility into their operations. This decentralized approach is insufficient to keep pace with stringent compliance requirements. Companies must find a way to pull consistent, reliable, and auditable reports from many disparate sources. This includes dashboards and appropriate triggers to alert staff to potential compliance issues, so they can react on a timely basis
• Operational Efficiency: With limited IT budgets, unpredictable market pricing and challenges, and aging infrastructure, financial organizations industries are constantly focused on improving operational efficiency. Managers look to have a holistic view of operations across the entire organization, so that they are armed with the information they need to make key business decisions that directly influence the bottom line.
• Financial Crimes: Crimes like fraud, phishing, security lapses, critical data leakage, and anti-money laundering experiences are a few of the issues that plague the finance industry. The conventional ‘tickthe-box’ compliance will no longer suffice, as regulators advocate a risk-based approach and impose tougher penalties. The industry requires an efficient adverse management system that provides prompt
  reporting and tracking, analysis and resolution of such adverse events.
• Market Volatility: The volatility or standard deviation of financial market prices provides the requisite basis for determining the appropriate amount of price change to incorporate into the VaR calculation. The present day market volatilities, however, make these calculations less reliable and more error prone.
• Corporate Culture: Organizational culture plays an important role in developing risk awareness across the enterprise. Most finance managers encounter significant challenges while embedding risk management and reporting within the company culture.
• Internal Checks & Balances: Absence of disciplined alert detection and management policies at the department and business levels pose a significant challenge in the present day complex financial environment. These policies ensure that appropriate department managers and senior executives have real-time access to potential employee fraudulent activities. A structured ‘decision tree’ is required to process tracks and categorizes potential threats.
• Failure to Document & Track Suspected Activities: A focused internal review system that incorporates department based insight and company-wide surveillance is also essential in detecting risk. To prevent risk exposures, businesses must apply vigilance to a system that combines disciplined policies, checks and balances, and tools to detect, report and prevent abuse across entire transaction processes.

Most financial institutions are now looking to initiate multi-disciplined risk convergence process - aligning and consolidating certain control group responsibilities under a single point system. Implementing such a change, however, can be daunting. Many well intentioned corporate initiatives fall short. While defining the vision, it is critical that all aspects of the current risk and control management related frameworks are considered.

Building GRC Framework for Financial Services
While there is no ‘one-size-fits-all’ approach to integrating GRC, most risk experts expect that the GRC framework should not merely lead to compliance; it should also provide the financial institutions with mechanisms to better understand and manage the nature of risk. A robust GRC framework is made up of the following components:

Risk Governance: It is essential that management provides clear guidance on risk appetite or tolerance, policies, and processes for day-to-day risk reporting and management.

• Appetite and Policy: An ideal risk reporting and management process ensures that the organization establishes a risk appetite, measures actions and decisions against that risk appetite, and communicates the results. Management should consider the entity’s risk appetite while evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
• Risk Tolerance: Understanding the current state of risk tolerance assists in developing a risk profile, and making decisions on what risks must be managed, how, and to what extent. It also helps identify the challenges associated with risk consultations and communications.
• Clear Definition & Communication of Policy: An organization’s management must identify, assess, decide, implement, report, audit, and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing and reporting risk, and make conscious efforts to ensure that these policies are communicated at all levels and across entire value chain. The policy should guide employees by describing the financial risk, operational risk and enterprise-wide risk management process, establishing roles and responsibilities, providing methods for managing risk, as well as providing for the reporting, monitoring and evaluation of both the objectives and results of risk management practices.
• Periodic Evaluations Based on Internal & External Changes: An ideal GRC framework periodically evaluates the risk management’s performance goals in the light of internal and external factors. Depending upon the criticality of internal operating environment and key external factors, organization must review the strategic policies inside out. Some external factors considered for potential risks include political influence of international governments and other governing bodies; international and national markets; globalization; social trends; and upcoming new technologies. While the internal factors include governance and accountability structures; values and ethics; individual and corporate risk management culture and tolerances; existing risk management expertise and practices; human resources capacity; level of transparency required; and corporate policies, procedures and processes.

Structure: When designing an integrated GRC structure, the organization’s overall risk scenario serves as a guideline. This includes laying down a hierarchical structure that integrates the risk management function into existing strategic management and operational processes; leverages current risk processes; capitalizes on existing capacity and capabilities such as communications, committee structures, and existing roles and responsibilities; and establishes standard risk reporting format for business risk reviews.

• Reporting: The development of evaluation and reporting mechanisms for risk management activities provides feedback to management and other interested parties in the organization. The results of activities, such as performance reporting, ongoing monitoring, and appraisal, ensure the effectiveness of integrated risk management. Such reporting has to cover two distinct aspects:
• Delivery of defined, relevant risk information to management and risk control, and
• Reporting of information aggregated by risk category to business line management, the board and the risk committee

Implementation: An ideal integrated risk management program enables organizations to efficiently identify, assess, and report risk-related information through different sources of information like risk assessment, risk and control self assessment, loss data collection, and key risk indicators. The comparisons between different sources of information on a consistent basis leads to the ability to carry out risk-audit activities, assess risks, draw more powerful conclusions, and prepare recommendations for risk mitigation. Few of important elements to be considered are:

• Loss Data: With a common framework in place, the organization collects, evaluates, monitors, and reports risk loss data. Such a process would be designed to provide the basis for any management decision from ad hoc reporting to regular risk reporting and ultimately leading to support quantification models as well as risk assessments
• Risk Assessment: Risk assessment provides organizations with a qualitative approach to identify and quantify potential risks. While the details vary, the basic structure of a risk assessment is universal - a set of matrices identifying, assessing, and ranking risks and its subcomponents in terms of likelihood and impact of occurrence, based on a defined risk appetite.
• Scenario Analysis: This is the most common technique for assessing risks. Here the team members assess risks in terms of an undesirable event, expected outcomes of the event, severity of the event’s impact, probability of the event happening, and when the event might occur in the project.

Responding to Risks: When a risk event is identified and assessed, a decision is made concerning which response is appropriate for a specific event. So the next step is responding to the identified risks. This step involves setting desired results by defining objectives and expected outcomes for ranked risks; identifying and analyzing options to minimize threats and maximize opportunities; choosing a strategy to apply decision criteria; and applying the precautionary approach/principle as a means of managing risks.

Ensuring Continuous Risk Management Learning: Continuous learning is fundamental to more informed and proactive decision-making. It contributes to better risk management, strengthens organizational capacity, and facilitates integration of risk management into an organizational structure.

MetricStream Financial Services Solution

The MetricStream solution is designed to support integrated Governance, Risk, and Compliance framework within a financial services organization. The MetricStream Compliance Platform becomes the nucleus of a corporate governance ecosystem, coordinating all governance, risk and compliance activities throughout the enterprise via a single management system. The solution offers the following capabilities.

• Corporate Governance: The MetricStream solution automates the governance process within a financial organization, defines and communicates key financial policies, and oversees and evaluates their implementation through risk scorecards and operational dashboards. This can be achieved through effective Audit and Policy Management, which is the core component of the MetricStream’s GRC solution. The solution also streamlines business ethics programs, keeps track of training requirements, and maintains high quality standards (ISO, Six Sigma).
• Audit Management: The MetricStream’s audit management solution enables a financial services organization to manage internal as well as external audits in accordance to financial services industry-standards such as AICPA, PCAOB, or GAAP. The solution defines objective and scope, organizing audits in a logical structure and hierarchy. With detailed checklists, evaluation and pass/fail criteria, it streamlines the entire process of audit. The solution enables auditors to record qualitative and quantitative findings along with detailed observations and recommendations in predefined formats. The solution permits flexible routing of audit findings and auditors recommendations to appropriate quality managers for review and subsequent actions. Findings can be linked to Risk Assessment conducted by Business Unit / Risk Management team.
• Policy & Procedure Management: The MetricStream policy & procedure management solution provides a framework to the financial services department to adopt an automated approach to manage external and internal policies across the enterprise. The solution maintains a central repository for efficient storage and access control to policies & procedures – streamlining creation, version control, and overall management of corporate policies and procedures. The solution provides an efficient way to communicate policies across the enterprise with appropriate reviews and approval cycles that allow automatic movement from one stage to another. The solution provides automatic alerts and notifications to concerned employees for policy updates, ensuring employee accountability wherever required. In addition, the MetricStream solution provides enterprise-wide visibility into implementation status of policies with measurable performance metrics.
• Risk Management: The MetricStream solution covers all aspects of potential risks - bank protection, fraud prevention, key risk indicators, financial risks, operational loss data, business line risk oversight, and new products and initiatives for data security. The solution provides an integrated risk management platform, which can be further leveraged to qualify for Basel II AMA approach. The solution implements strategies, methodologies (RCSA, KRI & LDC) and risk reporting functionality to identify, measure, monitor, control and mitigate operational risk. The solution ensures that the organization’s internal systems and controls are credible; well reasoned & well documented; and transparent & accessible.
• Compliance Management: The MetricStream solution for compliance management implements standardized processes to comply with the financial industry’s regulatory guidelines, such as Federal Reserve Regulations, AML, GBLA, FFIEC, and Fraud Detection, and cross industry mandates, such as Sarbanes Oxley Act (SOX), or Payment Card Industry Data Security Standard (PCI DSS). The solution maintains a centralized compliance structure with capabilities to capture all processes, associated financial accounts & statement assertions, and relevant risks & controls with appropriate linkages. The solution supports assessment based on predefined criteria and checklists with appropriate scoring, tabulating, and reporting - enabling business unit owners & compliance managers to have complete control over compliance management process. With ability to document and track issues arising out of non-compliance to closure, the solution triggers automatic notifications & alerts. The solution ensures that identified issues are well documented, and follows a systematic mechanism of remediation and disclosure using the underlying workflow and collaboration engine. In addition, the solution has preconfigured compliance reports and provides flexibility by enabling stakeholders to configure ad-hoc or scheduled reports to view metrics by variety of parameters.
• Reporting: The MetricStream solution enables financial organizations to have real-time visibility into control gaps and policy exceptions; gain clear visibility into key risk indicators, assessment efforts and the overall risk profile; understand the status of compliance initiatives; and increase visibility into the results of these efforts among company stakeholders and auditors. The solution features executive dashboards for enterprise-wide visibility into the compliance process, and underscores issues that need to be addressed. The system reports real time control status and remediation status on graphical charts that can be accessed globally. The ability to drill-down provides an easy access to data at finer levels of detail. Automated alerts for events such as exceptions and failures eliminate any surprises and make the process predictable. In addition to the standard reports available in the solution, end-users can build custom reports using the simple Reports Wizard without any programming. The solution also provides a systematic mechanism for managing regulatory reporting and filings as well as surveys and certifications in a consistent, reliable and predictable manner. It ensures accountability by enforcing the flow of information and records and documenting attestations and representations at appropriate stages.
• Incident Management: The MetricStream’s Incident Management solution provides for incident detection and recording, loss event tracking, investigation, escalation, and diagnosis, and closure of incident - leading to an elaborate remediation or corrective action process. The solution improves communication and teamwork on exception cases across functional areas; and helps the top management gain enterprise-wide visibility into the status of issues and incidents, and track related process metrics. The system also supports the regulatory reporting and submission process with ‘decision trees’ that identify reportable events.
• Asset & Inventory Management: The MetricStream solution provides updated asset information to help finance managers create and evaluate several budget options before they invest company's financial assets in any plan or project. It maintains a real-time log of all company assets-- including inventory, personnel using the assets, and the life cycle and history of those assets.
• Loss Management: The MetricStream solution enables companies to reduce risk, and improve compliance by implementing a centralized loss event solution that records, tracks, and manages loss and near misses. Integrated workflow tools manage loss event process steps to ensure all events are reviewed, and appropriate action is taken when necessary. Automatic notifications indicate when a "remediation process" is required.

From the MetricStream's GRC framework discussed above, it seems clear that GRC initiatives are moving beyond static, compliance-focused activities to more proactive and timely risk identification and issue resolution steps. The next section talks about the key benefits that accrue by virtue of embracing the MetricStream's holistic GRC solution.

Business Benefits
Financial organizations today need a systematic approach to defining and managing GRC initiatives. The MetricStream solution has enabled leading corporations in diverse industries to ensure transparent and holistic view of all GRC-related activities across the enterprise. Integrating these processes, the MetricStream solution brings tangible improvements in the company’s understanding of its risk profile, while easing out the business-line burden and the cost of compliance. While direct costs savings are significant, indirect savings are far greater.

• Risk-Based Decision Making: The MetricStream’s GRC framework for financial services allows for efficient risk-based decision making and provides a streamlined process for evaluating opportunities for your organization. Each employee is encouraged to participate in the GRC process, and bears responsibility for looking at his or her role and responsibilities in the context of organizational risk management.
• Risk-Return Portfolios: The MetricStream's GRC framework provides the transparency and insight that business decision makers need to manage projects based on risk impact and probability relative to potential return.
• Risk Awareness: Implementation of the MetricStream’s integrated GRC Framework, in conjunction with related risk management activities, augments a cultural shift to a risk-smart workforce and environment
  in the organization. This further ensures that the organization has the capacity and tools to be innovative while recognizing and respecting the need to be prudent in protecting its interest.
• Organizational Efficiency: The implementation of the MetricStream's integrated GRC framework brings with it improved efficiency across the entire value chain - providing top-down coordination necessary to make financial and non-financial functions of an organization work efficiently. An integrated team not only better addresses the individual risks facing the company, but also the interdependencies between these risks.
• Organizational Sustainability and Strategic Advantage: The MetricStream's GRC framework brings about organizational sustainability and strategic advantages; more granularly it accrues increased understanding of corporate goals and objectives, enhanced talent management, reduced exposure and loss, and improved corporate stewardship and shareholder value.
• Visibility and Transparency: The MetricStream's GRC framework enables transparency across an enterprise and beyond. The solution gives management a systematic process for anticipating and controlling risks, and the tools to proactively determine proper actions and critical tasks, reducing unacceptable performance variability.
• Business Agility: As the current financial environment change at an ever-increasing pace, the MetricStream's comprehensive and integrated GRC framework helps organizations become better at identifying material business risks and their interdependencies. The solution helps management evaluate assumptions in the current business model, and assess the effectiveness of the strategies for new business models. By enabling decision makers to identify and assess alternative future scenarios, the solution leads to greater business agility and promotes competitive differentiation.

Solution Benefits Quick Implementation Seamless Integration User-friendly Built in reporting Robust Security

Conclusion
The current economic downturn has turned the spotlight on the financial companies around the world to face the challenges of managing the GRC in a holistic and strategic manner. Most financial organizations today strive to establish risk and compliance architectures, develop risk intelligence, and implement GRC platforms, as well as centralized communication and training on corporate policies and procedures.

MetricStream brings you the best-in-class GRC domain expertise that will enable you to achieve the goal of managing GRC with confidence. The solution provided an integrated framework for deploying effective governance and risk management processes that address changing business needs, and enhance the ability of banks and financial institutions to react rapidly to adverse events. The solution ensures effective compliance, creates opportunities for cost savings, brings operational efficiencies and above all, gives the true status of a company’s exposure to risk.