The culture of risk analysis is characterized by the alignment of risk management with the strategy of the organization and the promotion of an integrated approach to risk management. It is a delicate balance between innovative methods and risk management methods. Regardless of what risk management systems, policies, procedures, or technologies companies have or lack, during an unexpected challenge, an organization that has established a culture of sound risk management is more likely to respond well to a sudden threat. Proper and effective implementation requires regular and timely coordination to achieve the desired result of risk optimization for maximum benefit to the organization. In a culture of marginal risk, each individual acts as a risk manager and will continuously evaluate, monitor and optimize risk to make informed decisions and create sustainable competitive advantage for the organization. In order to create an effective risk management culture and make it work successfully for the benefit of the organization, management must constantly improve it to adapt it to changing business goals and requirements while reacting to market and regulatory demands.

Lessons learned from COVID-19

Traditional risk management ignores the reality of the uncertainty organizations face in the digital age and is often influenced by past experience and judgment, encourages groupthink, predicts thinking outside the box, and does not provide enough insight to address risk exposures and destructive events. As a result, risk management becomes a psychological process rather than a technical process of collecting, evaluating and presenting data at expected intervals of different outcomes or even improvements. 45% of professionals say that Microsoft Office is still the primary method for managing important GRC initiatives and documents, despite its shortcomings in terms of scalability and transparency, and only 36% say they use integrated GRC software. Nearly two-thirds (63%) of integrated GRC software users report greater visibility into their organization’s risks, compared to 47% of multipoint users and 32% of those using Microsoft Office.

“With 45 percent of professionals reporting that Microsoft Office is still their primary method of managing critical GRC initiatives and documents, regardless of its shortcomings when it comes to scale and visibility, only 36 percent report using integrated GRC software.”

Michael McGee, assistant editor at Internal Audit 360° according to Galvanize 2021 State of GRC Survey Report (wegalvanize.com) in USA and Canada

Everyone involved in governance, risk, compliance (GRC), ICS, data protection, security, BCM and audit will confirm that the pandemic has highlighted even more the critical nature of GRC professionals in their organizations, especially as the ongoing constant stream of new business continuity challenges continues. In fact, the pandemic not only digitized many management processes increasing the burden on risk managers, but also radically changed the role of GRC specialists. According to a survey by Galvanize, GRC professionals are almost four times more likely to say they are more risk-aware than they were before the COVID-19 pandemic, but their level of understanding of the risks their companies face varies by technology of choice.

traditional vs enterpreise risk management

Technology as a gamechanger

Technology undoubtedly proves to be a gamechanger and is able to ensure with the right tools that business processes and information technology continue to meet the organization’s governance, risk and compliance requirements. Consequently, the GRC technology market is growing through core technologies and emerging technology areas that provide domain-specific insights such as RegTech, Cyber Risk Quantification, and Privacy Management. More importantly, technology makes it possible to create a centralized system for collecting risk information and organizing data items while further strengthening the culture of risk management. Today, when leaders consider information technology and governance, risk management, and compliance (GRC), they tend to focus on compliance with IT-specific requirements, such as information privacy and security. A compliance and risk management software (GRC software) is a tool that companies can use to manage IT-related operations that require oversight and ensure they meet compliance and risk standards. On the other hand, Integrated Risk Management (IRM) is a set of practices and processes supported by a risk culture and advanced technologies that improve decision making and performance by providing a comprehensive view of how an organization manages its unique risks. For organizations that use the right application of IT resources to improve the knowledge, efficiency and integration of GRC professionals and businesses within the organization, GRC efforts do not become a burden, but can translate into enormous benefits. About 85% of organizations surveyed said they would benefit from integrating and streamlining the use of technology for GRC operations, according to Deloitte.

Governance Risk Compliance

Banks struggle to assess company-wide risk exposure

In the decade since the global financial crisis, banks and their regulators have become increasingly aware of the need to manage risk. However, they find it difficult to put in place the cultural, managerial, and governance structures that can systematically manage these risks. To manage a range of emerging risks in areas such as technology, data and financial crime, banks need specialized knowledge and tools. Therefore, financial institutions must understand the full range of strategies available to them to manage these financial and operational risks. Compared to financial risk, operational risk is more complex and more difficult to control and manage. Until recently, operational risk has been more difficult to measure and manage with generally accepted data and limits than financial risk. Many banks seem to struggle to understand, measure and manage the interrelated factors that affect operational risk, including human behaviour, organizational processes and IT systems. Failure to assess company-wide risk exposure can be costly.

Active and cost-effective risk management requires managers to systematically think about the many categories of risk they face so that appropriate processes can be established for each. For example, external risks generally cannot be reduced or eliminated by the approaches used to manage avoidable and strategic risks. These threats or risks can arise from a variety of sources, including financial uncertainty, legal liability, strategic mismanagement, accidents and natural disasters. Risk management standards are designed to help organizations identify specific threats, evaluate unique vulnerabilities to determine their risks, determine how those risks can be mitigated, and then implement risk mitigation efforts based on the organization’s strategy. The ISO 31000 principles, for example, provide frameworks for improving the risk management process that can be used by companies, regardless of the size of the organization or the target industry. This approach can help a financial institution stay abreast of current and emerging industry risks and use risk assessments to identify actionable opportunities for improvement. The latter will take time, financial and management commitment, but the transformation of operational risk management presents an appealing opportunity for institutions to minimize operational risk while boosting business value, security, and resiliency. Improvements in bank risk management, on the other hand, will result in a more stable financial system, making firms more resilient to shocks. Banks that incorporate and proactively manage organizational risk with technology at the heart of their efforts can see substantial financial benefits while also preventing crises that could have long-term ramifications. Experts surely agree that financial services managers have the same powerful tools to model and manage operational risk that they use to model and manage financial risk. By combining financial instruments and operational risk modelling tools in a framework-driven process, financial services managers can actually implement their own tools. What they do not have or may not even know about, are the tools and techniques that can help them model operational risk with equal accuracy, including causal modelling approaches based on system dynamics. Rather than adopting a proactive and long-term operational risk management (ORM) approach that is deeply integrated into their overall business risk management (ERM) framework, many banks end up managing operational risk through short-term responses.

Regulatory and market trends drive the need for integrated risk management platforms

Pressure remains high on banks and other financial service providers to demonstrate effective and sustainable risk management as regulators demand higher levels of accountability and enforce stricter enforcement measures. The current economic environment requires all financial services firms to accurately measure the level of regulatory compliance and economic capital required to support their business strategy and risk appetite. Therefore, banks can find it difficult to comply with the ever-changing rules, but they must comply so as not to expose themselves to the risk of non-compliance and the potentially serious consequences that come with it. Today, banking sector companies must comply with a number of rules and standards, including the Basel III risk-weighted capital requirements, the Bank Secrecy Act, the Dodd-Frank Act, current expected credit loss (CECL), provision for loans and leases (ALL ) and many others. To comply, banks must develop automated and continuous risk assessment workflows that provide synergy between compliance policies, business areas and associated processes, resources (people, technology) and regulatory requirements. In particular, in order to manage third party risk, which is an important part of what banks should be doing from a regulatory standpoint, institutions need to obtain sources of evidence that they are properly managing a partner or supplier. Typical examples of operational risk in banks include service outages and security breaches. Vulnerabilities include rising compliance and risk management costs, rapidly changing regulatory environments, operational approaches, and operational inefficiencies. Unsurprisingly, risk management and compliance technologies are focused not only on solving the current problems facing the financial sector, but also on the systematic handling of vulnerabilities. Compliance activities still take time and are manual in most banks and tend to lag behind the pace of change in the financial sector. As a result, they can benefit from business understanding of new tools and technologies. A systematic, company-wide approach to governance, risk, and compliance results is a process that continuously improves management’s understanding of what is happening in the company while increasing confidence in managing risk and effectively executing key business strategies.

What is next in GRC for financial organizations

GRC has come a long way in integrating various risk management, compliance and governance modules to provide a holistic view of risk across the various silos in the retail banking system. When it comes to managing the triumvirate of governance, risk and compliance (GRC), many financial institutions will agree that they face difficulties. Historically, only the largest banks and financial institutions have been able to afford integrated governance, risk and compliance platforms. Many banks approach risk management and compliance from a departmental rather than an enterprise perspective.

Over the last 15 years, the role of technological innovation in governance, risk management, and compliance (GRC), as well as its impact on the global financial services industry, has shifted substantially. While the GRC industry has changed dramatically — each generation now lasts a few years less than the one before it — huge financial institutions with significant pockets and greater regulation (SIFI) are the first to stay up with the latest big financial institution advances. Fintech businesses have dominated the market by offering low-cost financial goods and services. Most financial services and products are powered by technology, which has generated a fundamental need for security and reliability, exposing financial services organizations and clients to inherent dangers. Following the financial crisis of 2008, a greater emphasis was placed on financial indicators such as capital sufficiency, scenario planning, and loss management, as well as a significant increase in financial regulation. The focus has turned to financial risk after the implementation of Basel IV and the height of compliance innovation. The pandemic spurred a third wave of GRCs, according to Gunjan Singh, executive chairman of MetricStream. The first wave was triggered by the 2008 financial crisis, and the second by technical developments around 2015 have not found the same level of applicability as projected, and these patterns will take time to materialize.

Overall, financial crime and financial risk compliance will improve as changing digital trends accelerate industry-wide transformation, making the global financial services industry safer than ever from the financial crisis or COVID-19 and other dramatic events. The advent of model risk management is also a key step towards greater control over the development of models and their use: some financial institutions prefer to create bespoke solutions in-house to meet specific requirements and retain control of technology and scalability considerations. As banks and financial service providers move from basic services such as insurance, accounting, credit, investment and treasury management to non-banking ecosystems such as mobile services, business process outsourcing, healthcare services and inventory management, the need for integrated GRC systems have become omnipresent and a key element in company-wide strategies. Essential components of a sustainable development plan and comprehensive approach to risk and compliance are best achieved by incorporating the overall GRC policy into the business agenda.