Banks and financial services organizations of all sizes are now more concerned than ever about risk and compliance management. This white paper discusses the current risk and compliance environment for banks and financial institutions, strategies for successfully implementing Governance, Risk and Compliance (GRC) programs and how technology can be leveraged to adopt a holistic approach to risk and compliance management.
Banking regulations are a key form of government regulation that subject banks to certain requirements, restrictions and guidelines. These regulations are important to uphold the soundness and integrity of the financial system. The combination of the instability of banks as well as their important facilitating role in the economy led to banking being thoroughly regulated. Another reason banks are thoroughly regulated is that ultimately, no government can allow the banking system to fail.
The evolution of the banking industry can be traced back to the ancient Roman, Greek and Indian economies. In the West, the founding of banking can be traced to the centers of trade in Europe including Hamburg, London and Amsterdam. Modern banking evolved in the late 20th Century when the Industrial Revolution led to a fundamental change in the definition of banking. Money lending was replaced with equipment financing and business credit. This led to a spurt in rules and regulations to ensure that banks fulfilled their role as builders of the economy. The Great Depression of 1929 brought banks and financial institutions into greater focus. Money supply and credit monitoring within the economy brought about a spate of regulations to protect the common man.
Also, in the 1950’s and 60’s, the role of banks expanded beyond the government’s control with the introduction of several other financial institutions like private banks, community banks, credit unions, etc. To manage the complexity of the banking world, it became necessary to ensure that risk and compliance management were managed very well. This led to multiple governmental and regulatory agencies being set up at the federal, state and local level. The present state of affairs indicate that risk and compliance management have became onerous for banks and financial institutions and it becomes important to have a robust GRC program in place.
In the United States, bank regulation is highly fragmented compared to other countries that usually have only one bank regulator. Banking and financial services in the U.S. are monitored at the Federal and State level. Depending on a bank or financial services organization’s charter and structure, it may be subjected to numerous regulators and regulations. For example, there are 4 main regulatory bodies just at the Federal level namely the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. In addition, the state legislatures and state banking authorities play a significant role in the regulation of statechartered institutions. The plethora of regulators means that the list of regulations adds up very quickly for banks and financial institutions.
At a global level, different countries have their own set of rules, regulations and reform. This adds to the challenge for global banks and financial institutions. A recent banking survey by the Economist Intelligence Unit shows that over one-third of all banks report that they answer to 10 or more regulators and over 75% of all banks report to four or more regulators. The same survey also shows that a global bank could face more than 350 regulatory exams a year. These results indicate that compliance becomes very cumbersome and expensive for a large or mid-size bank.
In the recent past, a few regulatory changes that have come up include Sarbanes-Oxley Act (SOx), Basel II, OMB A-123, Data Privacy, Consumer Privacy, Check 21, SAS 70, Anti-Money Laundering (AML), BSA, PATRIOT Act, MiFID and Reg NMS. As each of these regulations was introduced, the reaction of banks and financial services organizations has been to develop or purchase point solutions to manage compliance of these regulations. The gradual build-up of regulations over the years created duplication of compliance processes and documentation within the organization. There was no integrated view of risk and compliance and this led to high costs of compliance and lack of uniform coverage across regulations. These regulations necessitate that each bank or financial institution needs to step back, look at their overall GRC needs and objectives, evaluate the long term strategy for sustainable GRC and re-architect strategy and processes to support those goals.
Another pressing reason to do this is increased risk exposure due to disparate systems. Research has shown that large banks have several legacy and state-of-the-art computer systems co-existing to manage separate compliance processes and programs. This poses huge risks since there is a lack of flow of information between these disparate systems. Also, the information alignment between systems is non-existent.
The consequences of stumbling over a regulation have become tougher as the recent spate of scandals have shown. Corporate officers have been sent to jail, heavy fines levied and reputations have been hurt. In this day and age, if a bank or financial institution makes a regulatory mistake, it is likely to be a very expensive one.
Major shifts in the role and functioning of banks and financial services organizations over the last few years have brought about a new way to regard risk. Many, if not most, new risks over the last two decades can be attributed to globalization, explosion of new businesses, growth in technology and gains in efficiency. These changes have not only brought tremendous economic growth but also a growing multitude of risk causing a fundamental change in the approach to risk management. Some key shifts include:
These changing trends in risk management mean that executive decision makers and risk managers within banks and financial institutions have to grapple with some basic issues.
Each year, banks and financial services organizations spend substantial part of their time and money in mitigating risk and complying with a growing set of regulatory and operational compliance requirements.
The following graphic shows the compliance priorities for banks in 2007 versus 2006. This indicates that SOx is gradually losing focus while other regulations are becoming more important. An integrated risk and compliance solution would become very important in this scenario.
Financial institutions have typically addressed compliance with a ‘silo’ approach. Compliance and risk activities are frequently undertaken by different departments using different data sets. As a result, they find themselves managing governance, risk and compliance initiatives discretely and in an uncoordinated manner in an era when risks are interdependent and controls are shared across the organization. In addition, parallel compliance and risk initiatives lead to duplication of efforts and cause the cost of compliance to spiral out of control. In an effort to meet deadlines and other organizational constraints, they have not adopted a measured or strategic approach to governance, risk and compliance.
By taking an integrated GRC process approach and deploying a single system that supports a federated organizational approach to managing the multiple GRC initiatives, compliance effectiveness can be increased while cost of compliance is reduced. In addition, an integrated GRC approach enables a coordinated and cross-organizational approach to risk management. As a result, GRC initiatives are aligned centrally with corporate governance and reporting but are distributed to lines of business to assign ownership, execution and accountability.
The present risk and compliance management solutions adopted by a majority of the banks and financial institutions consist of separate silos that deal with risk and compliance management. In many cases, there is duplication of data collected to feed these silos and the results frequently present themselves in different formats. For example, a recent study at a global bank found that there were about 10 different systems only at the U.S. headquarters level to manage risk assessment and compliance management. The data used to calculate the risk assessment was being re-entered on the compliance management system. In turn, the compliance management system had no automatic updates for new regulations.
These disparate systems coupled with the need to maintain operating efficiency led to a need for an integrated risk and compliance management system. A recent Forrester report states:
Business complexity, along with increased regulatory and market scrutiny, is driving organizations to adopt a structured approach to governance, risk, and compliance (GRC). The goal: to effectively define, manage, and monitor the external and internal business environments. This involves moving to a federated organizational structure where GRC is centrally overseen, but risk and compliance accountability is distributed across lines of business where it belongs. Technology is assuming a key and enabling role in delivering sustainability, consistency, efficiency, and transparency across this federated GRC process and organization
Such an integrated approach to risk and compliance management includes a lot of benefits for the organization not just at a strategic level but also at the operational, day-to-day level. Such benefits would accrue to the organization if it included features from the business as well as the IT perspective.
When looking at the features from a business perspective, some key questions crop up.
From an IT perspective, there are some key features that become important.
Though the responsibility for an integrated risk and compliance management solution might reside within a particular department or business function, banks and financial services organizations have to realize that the benefits would be apparent across the enterprise. In building a business case for an integrated risk and compliance management solution, it is important to highlight the key benefits.
In the present banking scenario, we find that only point solutions exist for risk and compliance management. This can be attributed to the fact that technology is not being leveraged properly to build an integrated solution. As mentioned earlier, large banks have disparate systems that do not communicate with each other. Many banks do not want to spend huge amounts of money to upgrade to an integrated platform to manage risk and compliance. This view is shortsighted since the integrated platform offers continuous business and IT benefits to the enterprise besides creating a single framework for managing risk and compliance. An integrated platform will also make it very easy for banks and financial institutions to incorporate existing and emerging regulations as opposed to point solutions that work with only specific solutions.
When the benefits are evaluated, it becomes important to address the business and IT issues within the enterprise. The business issues that come up include:
The Total Cost of Ownership (TCO) of deploying an integrated solution for risk and compliance management would be lower compared to building and supporting separate custom applications. Most of the risk management solutions available right now cater to just financial risk, operational risk or other isolated risks. Similarly, a compliance management system may support only SOx compliance or legal compliance. An integrated solution that assesses risks and manages existing and new compliance requirements would significantly lower the cost of risk and compliance for a bank or financial services organization. They would also be able to take advantage of seamlessly interfacing this solution with their existing ERP, BI and other IT systems.
Banks and financial services organizations would also benefit from the new features and enhancements that an integrated system provides on an ongoing basis to meet the changing risk and compliance related needs. Other costs like training, documentation, and change management would also be lower when compared to these overheads being managed internally under separate departments.
The nature of the bank and financial services business makes it very important for each and every business unit to internalize risk and compliance management. Traditionally, functional and business units develop their own risk and compliance silos that often have common requirements. This leads to gross inefficiencies and inconsistencies across the enterprise. Also, executive management does not have real-time access to key risk and compliance indicators across the enterprise. They have to wait for the individual business or functional units to roll up their metrics to get an enterprise-wide picture.
With an integrated solution, banks and financial services organizations would have visibility across the enterprise. A risk being managed in Asia can be monitored from the bank’s head offices in the U.S. or Europe. At the same time, a new regulation that is introduced in Japan can be tied into the worldwide compliance calculator instantaneously.
The power of an integrated solution becomes clear with an example. A large global financial institution with headquarters in New York and operations throughout the world had about 30 different systems to manage its risk and compliance. These systems could not talk to each other and it took about a week of effort to consolidate risk and compliance reports across the enterprise. Another factor to consider was that a single delay in reporting could mess up the whole reporting systems. The financial institution finally decided to purchase an integrated solution for risk and compliance management. The solution they brought in had capabilities to pull in data from different business units across the globe, integrate and analyze the data and present it as a single enterprise-wide score to senior management. Errors within individual business units could be uncovered and fixed very quickly. The reporting cycle time reduced from one week to a couple of hours while enterprise wide visibility was maintained. From the IT perspective, the following issues emerge for the enterprise when an integrated solution is adopted.
A holistic approach to integrated risk and compliance management would offer a highly configurable and dynamic solution that can easily scale up as the regulatory requirements change. Banks and financial services organizations would benefit from systems like these as they adopt the current and future releases without incurring additional costs. A new regulation can be very incorporated very quickly and in a cost-effective manner since the integrated solution is configured to handle such a request. Also, this new regulation can be very easily tied to the risk calculators built into the solution so that the compliance department can assess the effects of the new regulation on the enterprise very rapidly.
An integrated solution would be highly scalable with the ability to support increasing number of users and data volume. It can be designed from the ground up to handle a large number of users, locations, and data. Adding new users or changing the profiles of existing users would happen very effectively since the integrated solution has access controls configured based on the roles performed by the users within the organization.
Large banks and financial services organizations usually have operations spread across multiple sites in different countries. The silo approach to risk and compliance management cannot be relied upon to deliver an accurate assessment since there is no capability to interpret a risk in the New York operations from the London office. An integrated solution bypasses this problem by providing a unified, reliable platform to assess risks irrespective of their place of occurrence. For example, a global bank with users in the U.S., Europe and Asia could access this system seamlessly. In another case, users across the world could be managed using a central server in the U.S. These features provide risk and compliance reliability within the enterprise.
A risk and compliance management solution will be ineffective if it does not provide advanced security and access controls. The integrated solution needs to have a robust security infrastructure by supporting the current standard and best practices including authentication and authorization, 128-bit data encryption algorithms such as MD5, SSL and HTTPS support, support for LDAP based authentication models, as well as support for single sign-on technologies. The solution should also have configurable rules for passwords, password complexity, password expiry, as well as authentication and signoffs at major transactional steps in business process workflows.
The integrated solution should support multi-level role-based access controls with support for hierarchy-based organizational models and org-role pairings. Such role-based access to functionality and data are essential for banks and financial services organizations with multiple locations, product lines, and business units. Any document or record is made available only to those users who have appropriate privileges based on their roles and profiles.
For example, within a bank, the Chief Risk Officer would have access to the enterprise-wide risk picture and also be able to drill down to specific risk assessments. The Director of Risk for Investment Banking would have full access and controls over risk assessments within his group but limited access to risk assessments within the Retail Banking group. Similarly, a compliance analyst in the Options Trading Department based in New York will be provided access to compliance dashboards within his department but can be restricted from accessing other corporate information.
A solution that cannot be rapidly implemented is not worth implementing at all. This feature is more important than ever in a risk and compliance management solution. New risks and regulations in the banking and financial services world come up at an alarming pace. Any solution that addresses them should lend itself to rapid implementation. A traditional, silo-based approach does not provide this feature. A solution built to handle operational risk or financial risk might manage that particular set of risk reasonably well but bringing a new risk into equation requires substantial re-working of the underlying software. Also, a financial risk management solution cannot adapt very easily to managing supply chain risk or manufacturing risk because the algorithms have been configured to analyze only that risk.
An integrated solution would provide rich compliance and risk management functionality out-of-the-box. Moreover, the functionality would include core services such as security, integration, workflow, reporting, etc. along with the tools needed to rapidly implement the solution to exactly meet customer requirements.
A combination of feature rich solution modules, robust infrastructure and tools, and a knowledgeable implementation team would ensure successful and rapid project execution by employing industry best practices. It reduces implementation time, minimizes risk, and ensures that the solution is configured to meet the customer’s needs.
Managing several stand-alone systems within the enterprise requires a separate maintenance team consisting of managerial and IT resources. There need to be system administrators and business managers for each separate solution. Additionally, the maintenance downtime and cost is multiplied with different risk and compliance management systems. The maintenance of the SOx compliance solution requires downtime that is distinct from the downtime for the legal compliance solution or the operational risk solution. When all these downtimes are added up, it leads to a significant loss in productivity across the enterprise.
In contrast, adopting a holistic approach to risk and compliance management requires minimal system administration overhead during runtime as well as when updates and upgrades are implemented. A Monitoring and Troubleshooting Application could be built into the system to provide system alerts, activity reports, traceable logs, and monitoring tools for easy system administration. The transition from the staging to production during updates and upgrades can be simplified using an IUP (Install Upgrade Patch) tool. Also, upgrades done to the enterprise platform do not affect the application resource files and application metadata and preserve all customer configurations and setting.
When we evaluate the benefits and examine the issues, it becomes very clear why a holistic approach to integrated risk and compliance management becomes very important to banks and financial services organizations. They can reduce costs, become more productive and manage their business better with an integrated solution. MetricStream’s enterprise-class suite of Governance, Risk and Compliance (GRC) Management solutions provide the best tools to navigate the risks and regulations present in the complex business environment today and the future.