Subscribe to QUMAS Communications QUMAS Compliance Room Blog
Media Center Printer Friendly

NEWS: 1 March 2008, Vol 9 No 3

Governance, risk and compliance (GRC) as a strategy is still a relatively new kid on the block, and executives are faced with some stiff implementation challenges. Victoria Pennington takes a look at the expected and unexpected challenges presented by GRC and poses some solutions

Opinions are divided about what governance, risk and compliance (GRC) actually is, but one thing is clear: there is no one way to implement it and there is certainly no easy way.

Software vendors have widely varying ideas on the best ways to approach GRC, but surprisingly some admit that technology can only do so much at its current level of development. Others - though they are not prepared to go on the record - doubt that some large, multinational and multi-divisional financial services firms will be able to implement a GRC system.

Operational risk executives generally agree that the idea of GRC is good, but some are not convinced that the cost in time and resources of implementing such an enterprise-wide strategy justifies the perceived benefits.

Philippa Girling, New York-based global co-head of operational risk management at Nomura, agrees that GRC is a sound principle but she anticipates some integration challenges. "Yes, of course we should be looking at how Sox [Sarbanes-Oxley] controls link into operational risk, and when we look at tracking actions items from an operational risk programme, we should be able to see how they relate to our Sox programme. It's all very much common sense but it's very challenging to achieve within an organisation. The future is that those things will work better together. There are some benefits coming from co-ordinating your guardianship activities."

As a relatively new and still evolving concept, a certain level of discord is to be expected. But first some misconceptions.

GRC is not a new process that will replace the relevant existing programmes in an organisation. It is not specific to one business area, such as Sox or compliance. They and others such as IT, legal, operational risk, business continuity planning and information security are all part of GRC. GRC aims to bring those departments together to create a repeatable, sustainable and efficient process.

And GRC is not all about technology. While technology is an important component of automating and streamlining the relevant processes, it is only part of the whole thing.

GRC is a broad philosophy that aims to implement an integrated approach to such processes in an organisation by educating all the often siloed business lines to work together, using technology to automate the process.

So now we know what GRC is, what are the main implementation challenges for financial services firms?

Silos are a major obstacle and most financial organisations, especially banks, are still divided into individual silos. To implement a true GRC strategy, it is essential to get departments working together. Risk types in particular tend to be siloed and often involve very different interpretations of risk and even different jargon to describe events.

Timing is also a concern. "There will always be challenges around integrating anything. The specific challenge for GRC will be timing," says Girling. "People have different urgencies to get things done and there have been some regulatory changes in the past five years, which means that different departments have different timescales to get things done. But as everything moves to maturity and becomes more of an embedded activity, there is more opportunity to integrate in a systems way."

From a risk perspective, top-down organisations will find it much easier to implement GRC than bottom-up firms, which will need to get buy-in from all the separate departments. "Risk in most organisations tends to take either a top-down or a bottom-up approach - the bottom-up approach can hold back GRC implementation as you need to have direction from senior management to push the process along," says JR Reagan, managing director at BearingPoint.

Middle management and heads of departments usually only want to deal with their individual business areas, so strong leadership is critical to success. "Having the right people and the right culture is essential, as is support from the top," says Roger Martini-Facio, head of risk and compliance for the finance division at technology services provider LogicaCMG, based in London. "Not everyone is a natural project leader or necessarily has the time to dedicate to such a complex project so outside support is often required. Having a clear vision is essential, as is having somebody in charge who understands how each of the elements interact and link together, who is able to spot the synergies in the organisation and who understands that implementing change in one area can have an adverse affect in another."

Embarking on any management project is difficult, but something this all-encompassing can run up against severe resistance unless it is approached in the right way. "Anytime you are putting a system into an organisation that is intended to tell people how they are going to have to operate and change their business practices, you are going to run into significance resistance," says Warren Perry, senior compliance officer and adviser at software firm Qumas, based in San Francisco.

As every operational risk manager knows, embedding a new system and a new culture into an organisation requires a high level of diplomacy and superior communication skills. Because a GRC project will range across several business areas that each has its own processes and procedures, it is essential to involve all department heads from the beginning of the project.

"The two things that are essential to a successful implementation process are, first, to deliver information to the user community well in advance to tell them what is going to happen, what the system is going to do and what the benefits are to them personally and to the organisation," says Perry. "The second is to run workshops around why this is happening and to tell them what information they can bring to the configuration and implementation process."

Although there is no one-size-fits-all approach to GRC implementation, there is a general consensus that the foundation of any GRC system is going to be the policies and procedures. Although this seems like the easy part, the amount of organisation and time required to do this properly is often underestimated.

"An organisation needs to get all the polices and procedures reviewed and certified, implemented and pushed out to the appropriate people, who have been trained, which then need to be placed into review and certification workflows so they can be reviewed annually. From that foundation, a firm needs to ensure training is carried out and from there you put in the monitoring and remediation pieces, and concurrently add in the reporting, dashboarding and oversight processes," says Perry.

This stage in the implementation process is very detail-orientated and is by far the largest undertaking. Decisions need to be made on issues such as deciding which of the different types of documents are going to go into a system down to the workflows, the review and approvals processes, and the training and certification process. A firm also needs to decide how it is going to deal with any deviations from the standard polices and procedures of the different business areas. A common misconception is that some firms believe that they can establish a standard enterprise-wide set of polices and procedures and they are simply not prepared for the number of deviations that will be insisted on by the individual business areas.

The situation is exacerbated by the fact that most large financial services firms typically have dozens and dozens of policies concerning regulatory requirements, many of which came into the organisation from acquisitions that have legacy polices and procedures of their own.

"Often the board is not even aware that they have 12 different policies on any one issue," says Perry. "The first undertaking is gathering together all of these polices, reviewing them and determining what the firm's real organisational policies are and then going back to the departments that created them to create a standardised policy, which will often require any number of exception policies demanded by the different business areas. Once you have created this inventory of policies and sub-policies, you have to get all the different business areas to agree on them.

"At some point there also has to be a discussion about how many previous versions of these policies are going to be put into the system because one of the things that becomes critical is how the organisation is going to address regulatory review."

When regulators ask to see a firm's policy on an issue such as market timing, for example, they are not going to be interested in the current policy, but the one that was in effect when the alleged violation took place. This is when it becomes essential to ensure you have every current and lapsed policy and procedure from every part of the organisation loaded into a GRC framework to enable firms to deal with regulatory enquiries more quickly.

"Having all your documents in a single repository with comprehensive search capabilities helps firms to deal with this quickly and efficiently rather than having to search through endless filing cabinets to find the right extinct policy. As there is a massive amount of time and resources involved in this process, this is one feature that has a huge impact on acceptance and uptake of the system," says Perry.

The sheer scale of time it takes to do this preparatory work overwhelms many firms and is often the reason why GRC projects are delayed or abandoned. Some firms believe that they can just throw money at the problem. But it is a rather naive hope that a firm can outsource somebody to come in and find all the necessary documents, decide which are the current versions, and mediate the disputes between the retail and wholesale sectors of the business.

"On occasion we can sit in on the meetings and workshop and be pretty good mediators, but the fact is the work has to be done by the resources of the organisation because we don't know their content," says Perry. "That is the rude awakening at some point they all get. There isn't enough money in the world to solve this problem; it always comes down to people who have to make these decisions. It is a painful and drawn-out process and is the major reason why many of these systems don't get implemented or delayed."

Tom McEvilly, director of global solutions strategy at software vendor CheckFree, suggests focusing on cornerstone processes to keep the project on track: "Organisations can reduce the overall effort (in terms of resources and time) involved in deploying enterprise-wide frameworks by paying special attention to cornerstone processes such as reconciliation and exception management, which traverse multiple back-office operations. By focusing on these, an organisation can simultaneously optimise a single business process and meet multiple compliance mandates, thereby reducing the overall deployment effort."

To keep employees engaged, it is essential that firms have a clear vision of GRC, define what they want to achieve, and set out a roadmap with a lot of quick wins to show the benefits early.

"Vision, communication and strategy are the backbone of GRC. Organisations need to define what they what to achieve from GRC," says Michael Rasmussen, president of strategy advisory firm Corporate Integrity, based in Wisconsin. "These usually fall into four themes - sustainability, consistency, efficiency and transparency."

Demands on firms' processes are becoming more rigorous, whether through more regulatory change or simply because of the ever-changing dynamics of the financial world, and organisations need GRC processes that are sustainable and flexible. Equally, to have a truly integrated approach to GRC firms need to ensure that they have a common framework for each of the divisions to plug into. Consistency therefore becomes very important. Efficiency is the selling point of GRC and is the goal most organisations are aiming for to help save time and resources.

"The third theme, which is driving the uptake of GRC, is efficiency," says Rasmussen. "Many of the questions asked during assessments of each of the business lines are very similar. Implementing processes and technology that can help them to streamline and use the same answers for multiple assessments will increase efficiency within the organisation."

The fourth is transparency, so that managers and executives can see the big picture of GRC across their organisation. For companies that remain divided into silos, where everybody has their own small piece of risk, the aggregate view of the whole risk across the enterprise can often be missed.

"You have got to figure out those quick wins," says Reagan. "Most organisations don't have the patience for a long drawn-out process, so figuring out ways to show the value of the system is essential to maintain engagement and ensure you keep to your budget."

Opinion is divided on the benefit of quick wins, however. "Tactical wins are fudges on the face of it. It is more important to look deeper into the project and ensure what is being done is appropriate and in line with what you are trying to achieve," says Martini-Facio. "It may be, however, that you need to have those tactical wins as a means to ensure timely compliance."

Firms also need to decide early on how they will use technology to automate the processes involved. "You cannot do this the other way around and rely solely on technology," says Reagan. "You have to figure out ways to use existing technology in other business areas. You may be able to find out a way to use a Sox tool in your compliance or risk divisions, for example. Then you need to find out a way to integrate these products into one framework."

Although technology should be seen as an enabler of GRC, it is certainly an essential part of an enterprise-wide system. Peter Hill, director of operational risk and product manager at financial software providers Reveleus and Mantas in London, describes GRC as a framework: "The reality is that no bank is going to start from scratch - they will have an operational risk system and a compliance or an audit tool from a variety of vendors - and it is how you complete the picture to ensure that their audit officers, compliance officers and operational risk officers are all focusing on the same risk, the same data and are using the same language in a comprehensive framework."

Right now there are some firms working on GRC implementation that have the vision but many have underestimated the length of the journey to get there. But if the fundamentals are right from the outset, GRC can provide much-needed efficiency and demonstrate the business benefit of a predominantly compliance-led initiative.

Source: OpRisk & Compliance

© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503