Financial Services: A Conundrum of GRC Challenges
Financial services organizations face complex multi-faceted risk environments. Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology, and business data encumbers financial services organizations of all sizes. Managing complexity, keeping change in sync, and risk managed in this context, is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.
The modern financial services organization is:
- Distributed. Financial services organizations of all sizes can have distributed operations complicated by a web of global outsourcing, service provider, business partner, and client relationships. Traditional brick and mortar organizations are a thing of the past: physical buildings and conventional employees no longer define a financial services organization. The financial services organization of today is an interconnected mesh of digital transactions, relationships, and interactions that obfuscate traditional business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
- Dynamic. Financial services organizations are in a constant state of change. Distributed business operations and relationships are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology, and processes while keeping current with changes to risk and regulatory environments around the world. Multiplicity of risk environments to monitor span regulatory, geo-political, market, credit, and operational risks across the globe. Regulatory change has more than tripled in financial services in the past five years. Managing risk, regulatory, and business change on numerous fronts has buried many organizations, and keeping change in sync appears to be an impossible task.
- Disrupted. The explosion of data in organizations has brought on the era of “Big Data” and with that “Big GRC Data.” Organizations are attempting to manage high volumes of structured and unstructured risk and compliance data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when a financial services organization needs to be agile and fast.
The components of governance, risk management, and compliance fail when managed in isolation. Decentralized, disconnected, and distributed systems of the past catch the financial services organization off guard to risk and expose the organization. Complexity of business and intricacy and interconnectedness of GRC data requires that the financial services organization have an integrated approach to GRC. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise. This is the problem: financial services organizations are so dynamic and changing and knee-deep in risk and compliance checkboxes and remediation they cannot devote sufficient resources to the ‘change’ agenda. This is complicated by the exponential effect of risk on the business.
Inevitable Failure: Misunderstanding the Scope of GRC
Managing GRC activities in disconnected silos leads the financial services organization to inevitable failure. Reactive, document-centric and manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the organization. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
- Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture, and how resources can be leveraged and integrated for greater effectiveness, efficiency and agility. The organization ends up with varying processes, systems, controls and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build independent GRC systems - projects that take time and resources and result in inefficiencies. High costs to consolidate disparate data silos and documents. Unreliable or irreconcilable risk assessment results, because of different formats and approaches.
- Poor visibility across the enterprise. Inability to gain a clear view of risks and their dependencies. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture. The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats. The result is poor visibility across the organization and its GRC environment.
- Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over-reliance on spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty, and confusion to the business. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently - introducing more points of failure, gaps, and unacceptable risk. Inconsistent GRC not only confuses the organization but also regulators, stakeholders, and business partners. Difficulty maintaining accurate data. Failure to report and trend GRC across assessment/ reporting periods.
- Lack of business agility. Lack of agility to respond in a timely way to changing environments and situations. It handicaps the business to run a reactive GRC strategy, managed in siloed and manual processes with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot be agile in a demanding, dynamic, and distributed business environment. This exacerbated by documents, point technologies, and siloed processes that are not at the enterprise level and lack analytical capabilities. People become bewildered in a maze of varying approaches, processes, and disconnected data organized without any sense of consistency or logic
- Greater exposure and vulnerability. No one looks at GRC holistically across the enterprise. The focus is on what is immediately before each department and not the complex relationship and dependencies of risk across the organization. This is exacerbated by many so-called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver analytics or align with business applications. This creates gaps that cripple GRC, and a business that is illequipped for aligning GRC to the business.
The Bottom Line: The Governance, Risk Management, and Compliance architecture is about the interactions and relationships of cause and effect across various platforms supporting the business. As a result, this fails when risk issues are addressed as a system of parts rather than a collective whole. A complete situational and holistic awareness of GRC is required across all operations, processes, relationships, systems, transactions, and data in order to see the bigger picture of risk and its cascading impact on organization performance and strategy.
Bank of Tanzania: Value Achieved in Enterprise GRC
The Challenge Bank of Tanzania Faced
The Bank of Tanzania is the central bank of the United Republic of Tanzania and is responsible for issuing the national currency, the Tanzanian shilling. The bank is governed by a Board of Directors consisting headed by its Governor and assisted by three deputy governors in Administration, Economic and financial policies and Financial stability.
For years, the bank had a fragmented, manual, siloed, document, and spreadsheet approach to manage risk, compliance, audit, policies, and issues. This approach led to inconsistencies in risk data which, in turn, made it difficult to analyze risks at the enterprise level. The variety of siloed repositories, spreadsheets, and unassociated databases led to an inability to aggregate data at an enterprise level to drive risk-based decisions.
The bank struggled with the lack of a formal risk management process. Business units were managing their risks in an informal approach. It was difficult to calculate the exact cost for risk management in terms of time, money, and other resources. Overall, the bank was incurring high costs on compliance and audit follow-ups as well as costs on contract initiation. It was taking the bank around four weeks to review contract documents, around three weeks to respond to audit findings and issues, and around three weeks to perform risk assessments and reporting.
The lack of an integrated GRC framework made it impossible to model and map complex organizational hierarchies and structures with every department and business line working in silos. Lack of collaboration and communication made it challenging to collaborate and work together. With GRC information trapped in scattered documents and databases it was not possible to integrate with existing enterprise and third-party systems to pull and push data to manage GRC. This resulted in lack of visibility to the enterprise risk and compliance management process.
Silos of GRC processes were as follows:
- Risk management. The bank followed a manual, siloed, document, email, and spreadsheet based risk management program with no real-time risk intelligence. Most risk and control assessments were performed in silos where users would leverage different risk scoring methodologies and calculations. This gave rise to inconsistencies in risk data which, in turn, made it difficult to analyze risks at the enterprise level. Given the size of the organization and complexity of the business, it was becoming increasingly challenging to monitor its risk initiatives and manage increasing costs and resource involvement. The bank needed to strengthen its risk management processes, and provide evidence of how risks were being assessed and mitigated to regulators and stakeholders.
- Internal audit. The bank followed varying and non-standard auditing practices. Increasing number of audits led to challenges in managing audit requirements and resources. Limited integration and collaboration across these initiatives led to audits and risks being managed in different ways with redundancy and duplicated efforts across the enterprise. The biggest challenge was consolidating vast amount of data from multiple audit programs across the organization without a single system for monitoring and controlling audit activities at the corporate level.
- Compliance management. The bank was managing their compliance initiatives manually with the compliance data scattered across multiple spreadsheets. They were finding it increasingly difficult to keep track of compliance across their operations and it was taking considerable time and effort to aggregate and sort the data into meaningful compliance reports.
- Policy and document management. The bank had multiple internal business groups across the enterprise developing and managing policies using a variety of disparate approaches and templates. Lack of standardization often resulted in duplication of effort, costs, and content. Different policies were stored in different repositories, and it was challenging for stakeholders to quickly search for and locate the policy they needed when they needed it.
- Business continuity management. The bank used a spreadsheet approach for business impact assessments (BIA). There was no method to link BIA results to business continuity plans and tests. The methodology arid formulato calculate recovery objectives were complex with ad hoc workflows further adding to the overall challenge. The organization needed to streamline existing workflows to develop a centralized and standardized BCM framework.
Solution to the Bank of Tanzania’s Problem
With the Bank of Tanzania constantly facing challenges with this approach, and to stay relevant in a highly dynamic banking environment, the bank decided to adopt a federated approach to manage their GRC operations. After evaluating several GRC solutions, they decided to go with MetricStream’s enterprise GRC platform to build a strong risk culture and enhance their brand and reputation. After successful implementation of MetricStream’s Integrated GRC solution, the bank has become one of the pioneers in the region to implement a large-scale GRC project.
Their goal was to implement an integrated GRC program to automate the bank’s day-today GRC related activities. The project objective was to automate manual GRC activities across the bank in a more efficient, streamlined, and integrated manner and to ensure that the bank would adopt a paperless approach to execute all of its GRC activities.
Prior to implementation of the project, MetricStream and the bank as a client conducted a joint project risk analysis with a project risk register and mitigation strategies. This was a tool that helped all project stakeholders to track risks and manage them in a timely manner. They were regularly reviewed under technical and steering meetings that discussed progress, analyzed challenges, and made decisions on how to resolve them accordingly. With this approach the team managed to implement and meet all objectives within preset time with expected quality and within budget.
Right at the start of the engagement, the project teams from MetricStream and the bank worked in close collaboration and care to map out requirements of the project in detail. The teams meticulously listed details and mapped them with MetricStream’s App capabilities. This ensured all the requirements were met by the MetricStream Apps with minimal customization resulting in Phase I of the project being completed in a record time of six months. To increase the speed of the implementation and to reduce multiple back and forth interactions, MetricStream consultants were present on the client premises, which helped the team minimize the telephonic/internet-based communication and increase face to face interaction.
The suite of MetricStream apps implemented in a single MetricStream solution included:
- Enterprise Risk Management manages, monitors, and assesses enterprise and operational risks of the bank. It enables the bank to deliver dynamic reports, charts, and heat maps for senior management, enabling better decision-making. The bank can initiate issues to be resolved that are found while assessing the bank’s risks. The issue management functionality helps the bank to bring out reporting and charts to view function wise issues and timelines taken for the closure of the Issues.
- Compliance Management provides a comprehensive system to manage a range of regulatory and corporate compliance requirements for the bank. Scaling across the banks regulatory domains, the solution integrates and maps compliance mandates and controls in a central framework, thereby simplifying compliance management and monitoring. The bank can now streamline and standardize compliance and control processes, minimizing deviations and redundancies. Graphical dashboards provide in-depth visibility across the compliance program, enabling the bank to proactively identify and address areas of concern.
- Internal Audit Management manages the complete audit process from audit planning through audit execution and reporting. It enables the bank to initiate and follow-up with audit related issues till closure through the issue management functionality.
- Policy & Document Management enables the bank to manage all documents (across various departments of the bank) such as contracts, notices, policies, and procedures throughout their lifecycle from creation, to publishing, to retirement, and finally archiving. The solution reduces the usage of the paperbased processes at the bank and adds value in terms of deployment of physical resources, time savings, and process improvements in terms of automated ownership and change management of documents.
- Business Continuity Management handles the end to end continuity planning and testing across all the business units in the bank. The solution allows the bank to define streamlined workflows to facilitate BCM teams to conduct BIAs and risk assessments, create BCPs, track plans, and conduct plan exercises. The solution simplifies calculation of Recovery Time Objectives (RTO) Maximum Tolerable Period of Disruption (MTPD) process and asset. The solution particularly enables business impact analysis, continuity and recovery planning, plan testing, and crisis and incident management. The solution-facilitated implementation of BCM Policy which is compliant to ISO 22301 standard.
- IT Risk Management enables the bank to simplify the identification, analysis, and mitigation of IT risks. The solution cuts across enterprise silos and integrates IT risk data in a common framework for comprehensive visibility and streamlines the IT risk management lifecycle, including risk documentation, assessments, control management, and issue detection and resolution. IT risks are mapped to business risks to strengthen reporting that is supported by analytics that transform raw risk data into actionable IT risk intelligence.
- Threat and Vulnerability Management empowers the effective management of IT assets across the banks operations by proactively aggregating and correlating threats and vulnerabilities through integration with QualysGuard. The solution automatically pulls in threat and vulnerability information from external systems, links this data to critical assets to identify risk exposures, and triggers a streamlined and automated process of remediation.
The short-term benefits the bank achieved in the first-year of implementation were:
- Minimized efforts for creating different attributes such as risks, processes, and information sharing because of the centralized GRC library.
- Timely availability of reports such as audit, threat, and vulnerability and risk reports.
- Tracking documents and contracts, at any time, one could know at what stage an initiated transaction/document is in.
- Performance measurement, at any task one could know how long it took with assigned user.
- Reduced processing time for audit, contracts, and document review.
- Improved IT security using big data technology for vulnerability assessment.
- Streamlined workflows to manage end-to-end GRC processes.
- Automated calculation of risk as well as business continuity recovery objectives.
- Two-way integration with GRC library to map an asset to associated dependencies and vice versa.
- Automated linking of BIA and risk assessment results to plans
- Shared information, orocesses, risks, controls, and policies across different functions that enables risk-based audits, BIA, and risk management.
- Reduced paper work now that informaiton creation, review, publishing, and attachment are done online.
The projected ongoing long-term benefits for the bank over three to five years are:
- Cultivate a long-term GRC vision that touches all facets of the organization and drive significant efficiencies while reducing risk and improving return on investment.
- Establish a sustainable process and infrastructure that addresses GRC issues collaboratively and efficiently as business requirements evolve.
- Enable a unified framework for managing risks, audits, and policies which is integrated with the organization’s existing business processes.
- Significantly reduce cost of managing risk, compliance and audits in long-term.
- Centralization and standardization of GRC processes.
- Development of a culture that is risk aware and ready to act when issues arise.
Bank of Tanzania Achieved Value in GRC Efficiency, Effectiveness, and Agility
GRC is an integrated capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].1 Successful GRC strategies deliver the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment. GRC solutions should achieve stronger processes that utilize accurate and reliable information. This enables a better performing, less costly, and more flexible business environment.
GRC 20/20 measures the value of GRC initiatives around the elements of efficiency, effectiveness, and agility. Organizations looking to achieve GRC value will find that the results are:
- GRC Efficiency. GRC provides efficiency and savings in human and financial capital resources by reduction in operational costs through automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
- GRC Effectiveness. GRC achieves effectiveness in risk, control, compliance, IT, audit, and other GRC processes. This is delivered through greater assurance of the design and operational effectiveness of GRC processes to mitigate risk, protect integrity of the organization, and meet regulatory requirements. GRC effectiveness is validated when business processes are operating within the controls and policies set by the organization and provide greater reliability of information to auditors and regulators.
- GRC Agility. GRC delivers business agility when organizations are able to rapidly respond to changes in the internal business environment (e.g. employees, business relationships, operational risks, mergers, and acquisitions) as well as the external environment (e.g. external risks, industry developments, market and economic factors, and changing laws and regulations). GRC agility is also achieved when organizations can identify and react quickly to issues, failures, non-compliance, and adverse events in a timely manner so that action can be taken to contain these and keep them from growing.
GRC 20/20 has evaluated and verified the implementation of MetricStream at the Bank of Tanzania and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized MetricStream and the Bank of Tanzania with a 2016 GRC Value Award in the domain of Enterprise GRC.
GRC Efficiency Value
Using MetricStream, the Bank of Tanzania has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measure of value as they pertain to the human and financial efficiencies they have benefited from. These include:
- Significant decrease in time to identify, collate, and evaluate the top risks effecting the bank.
- Reduction in processing time for reviewing audit and contract documents from 24 days to 2 days after implementation of MetricStream.
- Reduction in total time taken for performing risk assessments and reporting as reduced from three weeks to a week.
- 50% reduction in costs for compliance and audit follow ups.
- 90% reduction in costs on contract initiation.
- Significant reduction in the time taken to respond to audit issues and findings as the bank could now respond to audit issues instantly compared to an average time of around three weeks.
- Reduction in the creation and processing time of BIAs was reduced from 7 days to 1 day.
- Reduction in manual processes and paperwork through the adoption of a centralized and automated approach to manage their GRC operations.
- Reduction in contract documents processing time for audit and contract documents.
- Reduction in number of overdue issues because of the streamlined ability to respond to audit issues, the number of overdue issues.
GRC Effectiveness Value
Using MetricStream, the bank has identified both quantitative and qualitative measures of value as they pertain to the effectiveness of enterprise GRC that it benefited from, these include:
- Increased collaboration and sharing through a centralized system
- Standardization in the risk taxonomy within the bank across multiple operations and business units, enabling increased collaboration and information sharing among employees for better risk governance.
- Automated GRC workflow that results in elimination of manual processes managed in multiple spreadsheets and documents.
- Complete visibility into the risk management processes across the bank which results in higher quality risk information that can be analyzed in context of other risks.
- Common GRC library eliminated duplication of risks and issues resulting in significant savings in the effort and resources used to manage them.
- Intuitive user-friendly interface simplifies the learning process for GRC users, which helped them to quickly design new risk assessments as well as audit and compliance questionnaires.
- Enabling business continuity management through the creation and validation of business continuity plans, testing, and exercises. It has provided simplified formula to calculate recovery objectives (e.g., RTO, RPO, and MTID).
- Proactive risk and compliance dashboards and reports that have real-time visibility into the risk and compliance management process resulting in protection of revenue or savings through proactive risk management.
- Increased visibility and transparency supported by analytical capabilities providing complete visibility into GRC processes across the bank to allow them to make better decisions to achieve business objectives.
GRC Agility Value
Using MetricStream, the bank has identified both quantitative and qualitative measures of value as they pertain to the agility of enterprise GRC that it benefited from, these include:
- Development of standardized GRC culture that provides situational and holistic awareness of the GRC operations across the enterprise. This has led to an increase in the level of GRC understanding and participation by the bank’s employees.
- Scalable MetricStream implementation that enables the bank to increase their GRC operations from around 140 users at present to achieve maximum output and efficiency over time.
- Ability to rapidly design new risk and control assessments, modify existing assessments, and design compliance and audit questionnaires to adapt to dynamic regulatory, risk, and business environments.
- Common integrated GRC information architecture helps to quickly identify the top risks effecting the organization. The system provides real-time access to all issues logged during the risk assessment, compliance, and audit processes.
- Keep policies and controls current in line with any change in the internal or external business environment.
- Centralized GRC information architecture allows for consolidation and mapping of business entities across the organization to identify dependencies, elimination of redundant data, and ad hoc workflows.
- Flexibility of the system to interface with other existing business and banking applications enables an integrated corporate enterprise GRC solution.
GRC 20/20’s Final Perspective . . .
The greatest strength of this case study is building a successful integrated GRC framework across the Bank of Tanzania, which acts as the nucleus for the variety of risk, compliance, audit, policy, issues, and business continuity management processes. These were earlier being managed in silos and as separate programs, thereby creating inefficiencies in the overall organization. This implementation of MetricStream has increased the situational awareness of GRC within the bank, enabled employees to engage in GRC, and is the backbone in the creation of a risk-aware culture across the bank. An integrated GRC approach with MetricStream’s GRC platform enables the bank to establish long-term GRC oversight that touches all dimensions of the organization and drives significant efficiencies while reducing risk. They now have in place a robust infrastructure to address GRC issues in a collaborative and efficient manner, which is integrated with the overall business objectives of the organization.
After successful implementation of MetricStream’s Integrated GRC solution, the bank has become one of the pioneers in the region to implement a large-scale GRC project. It has underscored the bank’s responsibility towards all its stakeholders and has set an example for other banks and companies in the region to start building GRC programs in their respective organizations.
About GRC 20/20 Research, LLC
GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape; market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000 companies, major professional service firms, and the breadth of GRC solution providers.
GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria, regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and best practices. Research facts and representations are verified with client references to validate accuracy. GRC solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion.