What’s Next in GRC for Banking and Financial Services Industry in the Americas

The banking and financial services (BFS) industry has shown remarkable resilience in the wake of the COVID-19 pandemic. This unprecedented health and economic crisis has served as the real-world test of the reforms that were introduced following the financial meltdown of 2008. Despite the initial setback with the lockdowns, social distancing norms, and remote working conditions, BFS companies were able to get back on their feet in no time and continue business operations in this new normal. The lessons learned during the pandemic will definitely shape the BFS sector of the future.

In the post-pandemic world, some companies fared better than others in adapting to the new business environment. So, what did they do differently? As revealed by our survey, these organizations had a more proactive and assertive approach to risk management rather than a defensive and reactive approach.

The conversations surrounding risk management are now evolving and becoming more resilience-centric. Risk teams, senior management, and the board are not just pondering over questions such as – How can we prevent the loss? What can we do to minimize the damage? – but also – How can we be better prepared in the future? What can we do to turn risk into a strategic advantage? How can we thrive on risk? That said, the risk profile of BFS companies is changing drastically as the pandemic has led to a myriad of new risks and also intensified existing ones. Regulators too are keeping no stone unturned to protect the interests of stakeholders in this rapidly evolving risk and business landscape. As such, the BFS sector, which was already inundated with regulatory obligations, has to now traverse a more complex regulatory environment. To put things in perspective, banking companies today have to handle an average of 220 regulatory alerts per day compared to just 10 regulatory alerts per day back in 2004.

It is difficult to say if the worst is over with deadlier variants of the coronavirus still threatening the return to normalcy. What BFS enterprises can do, however, is ensure their preparedness for the unknown unknowns. For this, they must focus on improving their holistic and peripheral view of risks and evolve their governance, risk, and compliance (GRC) approach and technology with the pace of digitization.

The first in our trilogy of eBooks aims to bring to the forefront the GRC challenges currently being faced by the BFS sector in the North American region and discusses what the future holds. The subsequent eBook will focus on the European Union and the last one on the Asia Pacific (APAC) region.

26.32% of the total respondents from the BFS industry said that they are using an integrated platform to manage risks. Organizations that had deployed an integrated risk solution did not make any changes to risk programs and strategies due to the pandemic.

- MetricStream State of Risk Management Survey Report 2021

What's Now: GRC Challenges for the North American BFS

The radical shift in BFS operations, such as remote and hybrid working models, amplified digitization efforts, pivot towards cloud computing, and growing dependency on third-party service providers, are likely to stay even after the pandemic is over and its impact recedes. This, along with the heightened regulatory scrutiny and evolving risk profile, has renewed the much-needed focus on GRC. According to Gunjan Sinha, Executive Chairman at MetricStream, the pandemic has triggered the third wave of GRC—the first wave was driven by the financial crisis of 2008 and the second was spurred by technological breakthroughs somewhere around 2015.

Here is a look at some of the key GRC challenges that the BFS industry faces today:

Cyber Threats:

The sudden onset of the pandemic and the subsequent lockdowns have impacted organizations in more ways than one. In 2019, Boston Consulting Group estimated that financial service firms are 300 times more likely to experience a cyberattack than other firms. The analysis was done before the pandemic disrupted operations across industries.

To contend with the pandemic-led disruption, BFS enterprises had to accelerate the pace of digital transformation—condensing the digitalization timelines from years to a matter of weeks. Furthermore, as work moved home—beyond the reach of the office firewall and enterprise security mechanism, the entire workforce became more susceptible to cyberattacks. In this new, digital-first operational environment with hyper-connected businesses, the cyberattack surface of organizations is continuously expanding and not just limited to their own infrastructure.

In a report published in January 2020, the Federal Reserve Bank of New York assessed the spillover impact of cyberattacks due to the interconnectivity of banks. According to the report, a cyberattack on any of the five most active U.S. banks will result in significant spillovers to other banks, with 38 percent of the network affected on average.

Furthermore, the digital interconnectedness of BFS organizations with third-party vendors has amplified considerably in the post-COVID world. To then view cyber risks without factoring in third-party cyber risks would not present a complete picture. The recent spurt in the number of security breaches has underscored the growing third-party cyber risks—how a security incident at one organization can quickly travel and paralyze several other connected businesses. They also often are left with an extremely short window of time to react to any such emerging or existing risk event.

In addition, BFS companies are increasingly facing cloud concentration risk due to over-dependence on one service provider for critical services. In the past couple of years, the pivot towards cloud adoption has increased as it offers several benefits such as scalability, cost savings, speed and agility, and more. However, the cloud market today is being dominated by a handful of major players, making organizations vulnerable to cloud concentration risk—a single point of failure at one service provider could quickly morph into systemic risk.

In the BFS industry, cybersecurity and data privacy risk took the top spot with 52.94%, while 20.59% of respondents ranked compliance risk as the second most critical risk. 29.41% believe that operational risk is third on the list.

- MetricStream State of Risk Management Survey Report 2021

Complex Extended Ecosystem:

With the growing reliance on vendors, such as business consultants and contractors, payment gateways, service providers, and others, for key operations and services, BFS organizations today have a highly complex extended ecosystem. The complexities are turned up a notch with fourth and subsequent parties.

While outsourcing tasks to vendors help to dramatically cut down on costs and enhance competitiveness, it introduces several governance and risk management challenges, such as those stemming from non-compliance, unethical practices, financial risks including vendor bankruptcy or business disruption, exposure to Tier 2 vendors, legal issues, and access to confidential data. It becomes imperative, therefore, to proactively identify these risks and implement the appropriate controls to manage the supplier network effectively and keep the associated risks in check.

In July 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) proposed guidance on managing risks associated with third-party relationships. In the proposed guidance, the agencies have detailed a framework of sound risk management principles to assist banking organizations in managing vendor relationships and promote compliance with all applicable laws and regulations.

How Mastercard Built a Safer Payments Ecosystem with a Fourth-Party Risk Monitoring Program

Being one of the world’s largest payments technology providers, Mastercard has a highly complex operational ecosystem comprising of several third- and fourth-party vendors. Previously, the company had no visibility into the risk controls in place for fourth parties brought by customers to its ecosystem. To overcome this challenge, the payments giant took a proactive step of building a new fourth-party risk management program from the ground up. It chose MetricStream Third-Party Risk Management, built on the MetricStream Platform and running on the AWS cloud.

With the implementation, Mastercard now has a unified, holistic view of all third- and fourth-party risks and can perform faster risk assessments with automatic segmentation of fourth parties into various risk categories. The efficiency of assessment processes has significantly improved with the automatic distribution of questionnaires and population of responses. The solution also provides actionable and timely fourth-party risk insights, thereby accelerating Mastercard’s risk response.

Regulatory Pressure:

BFS is one of the most heavily regulated industries today, and rightly so. The financial crisis of 2008 was a wake-up call for the financial regulatory authorities to ensure that all gaps are closed, and appropriate controls are established so that the BFS sector—the backbone of the economy—does not collapse again. It led to an elevated focus on various financial GRC measures, such as capital adequacy, scenario planning, and loss management, as well as a deluge of financial regulations.

It has been a long journey since then and the BFS sector now operates within a more stringent regulatory perimeter and faces hefty penalties for non-compliance. Today, the banking sector companies have to comply with a number of regulations and standards, including Basel III’s risk-weighted capital requirements, the Bank Secrecy Act, Dodd-Frank Act, Current Expected Credit Losses (CECL), Allowance for Loan and Lease Losses (ALLL), and many others.

The fines for non-compliance with Anti-Money Laundering (AML), Know your Customer (KYC), data privacy, and MiFID regulations totaled $10.6 billion for the financial sector in 2020, marking a 27% rise from the year before, according to Fenergo. Non-compliance does not only result in a monetary loss but also could lead to reputational damage and loss of stakeholder trust.

More recently, with the growing focus on Environmental, Social and Corporate Governance (ESG), the BFS sector is likely to face a fresh wave of regulations related to climate risk disclosures. Gunjan believes that ESG will drive the fourth wave of GRC, and it seems it is already starting to take shape. In June 2021, the U.S. House of Representatives passed a legislation that would require publicly traded companies, including those operating in the financial sector, to disclose information about their exposure to climate-related risks.

This will mark a new chapter for BFS as it is likely to bring a shift in value proposition – from being profit-driven to becoming purpose-driven. In this age of social media and speak-up culture, a key differentiator for organizations would be how they position themselves with respect to environment, diversity and inclusion, ethics, integrity, and global sustainability.

"With trends of ESG and the needs of the future, companies must not exist for the maximization of profits. They must be real architects for building and sustaining the true communities in which they survive and thrive."

- Gunjan Sinha, Executive Chairman at MetricStream

Operational Risks:

In addition to cyber and regulatory risks, the BFS sector today is navigating an extremely unsettled business landscape with geopolitical power shifts, growing instances of natural calamities, pandemic-driven global economic slowdown, and other such factors. According to a Congressional Research Service report, the resurgence of infectious cases not just in the U.S. but around the globe has renewed calls for lockdowns and curfews and threatens to weaken or delay a potential sustained economic recovery into mid to late 2021. The country also suffers a number of natural catastrophes throughout the year, including floods, tropical cyclones, wildfires, etc., which disrupt business operations and result in colossal losses running into billions of dollars.

Not just these external factors, but internal factors too, such as breakdown of IT infrastructure, lack of appropriate controls, etc., can disrupt operations. According to Feedzai, there has been a 159% jump in banking fraud attacks in Q1 2021 compared to Q4 2020.

"Today, banks need to look at peripheral risk information, coming from both inside and outside the domains of their organizations, to be able to manage risks better."

- Gaurav Kapoor, Chief Operating Officer, MetricStream

Strategic Risks:

Rapid technological advancements, particularly in the past decade, and the influx of fintech startups have shaken up the traditional BFS sector. These new-age, tech-driven companies have come and conquered the market by offering financial products and services at competitive prices. This has essentially compelled legacy organizations to rethink their business models and go-to-market strategies.

To protect and grow their market share, the BFS sector is now shifting towards more customer-centric products and services and even entering into digital partnerships or mergers and acquisitions (M&A) deals with fintechs or acquiring them to capitalize on their technological and agile capabilities.

According to S&P Global, with 19 M&A deals announced in July 2021, U.S. bank M&A activity has climbed back to pre-pandemic levels, bringing 2021's total deal announcements to 116, compared with 111 overall of 2020.

What’s next in GRC:

The GRC practices and approaches of BFS companies have evolved considerably over the years. Going forward, we think that the GRC function in this sector will continue to evolve and be driven by various forces including technological advancements, ESG, stricter regulatory scrutiny, cyber threats, complex extended ecosystem, and hybrid working models.

For any organization, the ultimate goal of implementing a GRC program is to be future-ready and stay resilient when faced with any disruption or risk event. So, what does it mean to be truly resilient? Resilience management goes beyond the traditional approach to risk management involving risk foresight, planning, and mitigation measures to ensure that the organization has:

Image 7

It is only then that the organization can truly thrive and create business value. Financial regulatory authorities have already initiated efforts to boost the operational resilience of the BFS sector. In October 2020, federal bank regulatory agencies, including the Board of Governors of the Federal Reserve System, the FDIC, and the OCC, released a paper outlining sound practices for large banks to increase operational resilience.

Here are the few key considerations for BFS companies to maintain and sustain their resilience:

Integrated GRC Program

An integrated approach to GRC facilitated through a standardized GRC taxonomy and coordination and harmonization between various functions—risk, compliance, audit, IT, third-party, business continuity, legal, and finance—is a business imperative today. This approach will cut across organizational silos, eliminate redundancies and duplication of efforts, enhance visibility into top risks and efficacy of controls, and ensure alignment between corporate centers and local business units, thereby enhancing overall efficiency

Risk-Aware Culture

Strong risk culture is critical for ensuring resilience—whether financial, operational, or cyber resilience. Setting the tone at the top for a risk-aware culture and reinforcing it by maintaining transparency, establishing standards for ethical business practices, encouraging effective communication channels, and setting expectations and accountabilities for employees can help achieve this goal.

Scenario Planning and Stress Testing

This is important for risk teams to ensure their preparedness for existing, emerging, and hidden threats. Scenario planning and stress testing drills bolster the capabilities of risk teams to not only identify early warning signs but also to tackle risk events swiftly, confidently, and efficiently.

Technological Upgrade

To thrive in this dynamic business environment, relying on manual processes and out-of-date technology for GRC is highly ineffective. Automating workflows and risk management systems with advanced technologies, such as artificial intelligence, machine learning, etc., can considerably improve the risk foresight of GRC professionals and provide them with timely and actionable risk insights for making risk-aware, data-driven business decisions. Leveraging these next-generation technologies is a must today for BFS organizations to also maintain their competitive edge against emerging fintech companies and startups.

Risk Quantification

A key challenge faced by chief risk officers is effectively communicating the risks to the senior management and board. Quantifying risks in monetary terms can better equip them to explain the risks in a comprehensible manner as well as help in the prioritization of risks and controls and determining how much to spend on each control

Frontline Engagement

Frontline employees are the lifeline of any organization. They are the closest to the customers and manage risks and compliance issues associated with daily operational activities. As such, they are more likely to spot risks and vulnerabilities.

Engaging frontline employees in GRC activities and encouraging them to proactively report any anomalies or issues, such as those related to non-compliance, suspicious transactions, etc., can go a long way to help BFS organizations to safeguard their operations.

Continuous Monitoring

Just implementing a robust GRC program is not going to engender the desired results. It requires continuous monitoring to proactively identify any gaps or loopholes that might exist and ensure that the program is relevant and running efficiently and the controls are effective.

How MetricStream Can Help

MetricStream, the global market leader for integrated Governance, Risk, and Compliance (GRC) solutions, offers the most comprehensive solutions based on a single platform that includes Operational Risk, Compliance, Audits, IT and Cybersecurity, Business Continuity, and Third-Party Risk Management. We have more than 450 enterprise implementations across the world.

The MetricStream Enterprise GRC solution provides a single, integrated system to manage, coordinate, and track multiple types of GRC activities, thereby facilitating a holistic and collaborative approach to GRC. With support for mobility, real-time reporting, advanced risk analytics, and regulatory notifications, the solution is designed to meet the GRC needs of today’s complex, dynamic, and global enterprises and their extended ecosystem.

The MetricStream Operational Resilience solution brings all aspects of an operational resilience framework into a single unified platform. The solution helps BFS companies achieve operational resilience by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for potential disruptions. A single, integrated, interconnected data model unites data, removes friction between functional silos, and serves as a single source of truth for real-time, risk-aware decision making

How MetricStream Helped a Global Bank Enhance Business Decision-Making with An Integrated View of Risk and Compliance

As a leading multinational financial services company, the bank is expected to adhere to multiple regulatory obligations, while keeping possible disruptions and risks in check. These risks range from operational and IT risks, to mis-selling, regulatory, reputational, and geographic risks – all of which need to be identified and effectively mitigated across the enterprise. Previous approaches to risk management and compliance were largely siloed and, therefore, difficult to scale or sustain. Due to the vast geographic spread of the organization, the bank needed a competent GRC solution that would help them improve the efficiency of internal and regulatory compliance processes, while also strengthening risk management and business resilience.

The bank chose MetricStream’s Enterprise GRC Solution with capabilities for operational risk management, compliance management, regulatory change management, regulatory engagement management, and policy management. Today, the solution covers 90% of the countries that the bank operates in, has over 10,000 business users, and is one of the largest implemented solutions in the organization.


Related Stories


Power What’s Next in GRC: Stay One Step Ahead of Risks


Revisiting the Challenge to Delivering a Status of Operational Resilience in Financial Markets Through an Integrated Risk Management Approach

Case Study

A Global Food and Beverage Giant Strengthens And Streamlines Corporate Governance in its Mexican Operations

Ready to get started?

Speak to our experts