The money laundering controversies that have plagued Europe’s banking sector over the past year reveal deep fractures in governance and oversight. Yet Europe isn’t alone in grappling with these issues. Around the world, leading financial institutions have come under the scanner for misleading sales practices, price fixing, and other scandals – all of which warrant an introspective look at Governance, Risk, and Compliance (GRC) programs.
For years, these programs have been driven by compliance pressures, the sole objective being to stay out of trouble with regulators. Yet, this approach is prone to failure, for it evaluates risks from a very narrow perspective. Consider recent instances of financial fraud. The immediate losses faced by the banks in question ranged from almost $2 billion - $10 billion. But more than that, the banks lost as much as 20%-25% of their market value. Public confidence in the institutions plummeted as hordes of customers left in search of more trust-worthy alternatives.
Clearly, the impact of a risk event like fraud goes well beyond direct financial losses or even compliance fines, causing irreparable damage to corporate reputations and trust, both of which are among the most valuable assets an organization possesses. Understanding these long-term consequences, and building them into ROI calculations of GRC investments is key to helping banks prioritize their risk mitigation efforts.
Money laundering scandals and frauds aren’t the only drivers of GRC investments. Here are six other key trends that are prompting financial institutions to effectively mitigate risk, strengthen compliance, and build good governance practices:
Today’s banks are dealing with a completely different set of customers than they did five or ten years ago. These new customers demand instant gratification through products and services that are customized to their specific needs. How does one anticipate those needs? By analyzing customer behavior data. Today, large volumes of this data have become available through the proliferation of digital banking and other such channels. However, like every asset, customer data brings with it many inherent risks such as data breaches and privacy issues.
In response, many leading global banks are building strong data governance models. They’re using enterprise GRC solutions to conduct data privacy assessments that can help them understand the type of data collected at every customer touchpoint, as well as the ways in which that data is leveraged. Their objective is to ensure that customer data is not only protected against theft, but also guarded against misuse by overzealous data scientists in the organization.
Banks today operate in an unforgiving market ecosystem where every risk event—be it financial loss, misconduct, or non-disclosures of conflicts of interest—are rapidly disseminated through social media, resulting in deeply negative publicity that can have an exponential impact on market valuations.
Some of the most complex, diversified financial institutions globally are trying to understand and manage these risks. They are aligning customer complaints metrics around conduct risk and governance issues (e.g., mis-selling and non-compliance with fair lending practices), to the calculation of sales incentives. This approach is boosting their integrity quotient, enabling them to reduce incidents of misconduct, while also encouraging risk-aware decision-making in their traditionally ROI-driven sales function.
The competition in the financial services industry is rapidly changing with a new breed of fintech firms that are challenging the dominance of traditional players. An Accenture study notes that in Europe alone, bank newcomers—including non-bank payment institutions and bigtech—have grabbed one-third of revenue growth.
Firms like these are changing the very business model on which banks have built their operating profits. To survive and thrive, banks will need to innovate with their products and services, while leveraging new types of assets and operating markets that were hitherto beyond their purview -- a case in point being digital wallets.
As banks adopt these new technologies, many are using enterprise GRC solutions to understand the evolving cyber risk profile of their business. Risk quantification frameworks are being leveraged to translate cyber risk exposures into value at risk measures which can then be used in risk mitigation strategies such as deciding on an optimal insurance cover, or determining the right amount of capital allocation for adverse risk events.
Disruptive innovations like blockchain, cryptocurrencies, and artificial intelligence are challenging the principle of a trusted intermediary on which the banking system stands. It’s no surprise, therefore, that risk management programs are increasingly aligning strategic risks to market disruptions and trends. Tackling disruptions in itself is a challenge, let alone leveraging the small window of opportunity that these disruptions provide.
As regulators try to keep pace with rapid changes in the market, banks have the arduous task of responding to constantly changing regulations with agility and zero errors. They are also expected to ensure compliance with market expectations around integrity. Any lapses can be a major competitive disadvantage, as negative news travels quickly, and can set into motion a domino effect of adverse consequences.
Regulatory compliance programs are no longer simply about ticking a box, but about preserving organizational integrity and credibility. The first line of defense has become a core part of this process. To help them take ownership of compliance risks, some banks are looking to build a compliance advisory function whose role is to ensure that business users have all the regulatory insights and information they need, whenever they need it, to execute a transaction.
The rapid pace of innovation around predictive analytics and artificial intelligence has provided banks with new ammunition to fuel growth, and weed out volatility. Boards and senior management can now rely on data and predictive models to make better-informed, risk-weighted decisions. McKinsey Global Institute estimates the annual potential value of artificial intelligence in banking at as much as 2.5% - 5.2% of revenues, or $200 billion - $300 billion annually.
Even banking regulators are depending on data to govern markets. They’re moving away from retrospective assessments and examinations, to a more real-time evaluation of risks facing the financial system. Many regulators are exploring the use of analytics to study risk event information from regulated entities. This data is then used to (a) predict emerging and evolving risk trends, (b) monitor systemic risk metrics continuously and in real time, (c) design forward-looking market scenarios to assess systemic stress, and (d) prescribe regulations.
As banks strive to demonstrate a culture of integrity to stakeholders and customers, GRC programs have become a key priority. The emphasis is on building the ability to be perceived as institutions of trust which, in turn, impacts long-term business performance.
Scarred by recent financial frauds, misconduct, and other scandals, banks have begun a systemic movement of adopting global best practices in GRC to help them ensure that the reputation of financial markets remains sacrosanct.
As a top multi-national financial institution, the bank is expected to meet multiple regulatory obligations, while efficiently managing a range of risks, including operational IT, and reputational risks. Previous approaches to risk management and compliance were largely siloed and, thereby, difficult to scale or sustain. However, with the MetricStream Enterprise GRC Solution, the bank was able to implement an integrated approach to GRC. The solution provides a “single source of truth” for risk aligned with strategy. Powerful dashboards deliver visibility into top and emerging risks, allowing stakeholders to proactively focus on the most critical areas.
Users also have a 360-degree view of compliance across the enterprise with regulatory obligations mapped to lines of business, policies, controls, roles, and responsibilities. Through this integrated approach, the bank has gained the real-time insights they need to make better, more risk-informed business decisions that drive performance.
Banks and financial services institutions have their work cut out for them as they strive to accelerate performance and growth in a digital, disruptive age. The risks are many, and the regulations are complex. However, a strong GRC program based on principles of trust and integrity can go a long way towards building safer, better governed, and more risk intelligent organizations.