As the calendar year winds down, many in our industry wonder what 2016 will bring. Specific challenges for financial institutions will persist, like obstacles to their growth objectives, the continued barrage of regulatory updates, and the ever-growing possibility of enforcement actions. Fortunately, there’s an approach that is gaining steam and proving advantageous to the institutions utilizing it: Governance, Risk Management and Compliance, or GRC.
GRC in Layman’s Terms
In many organizations, including a significant number of regional and community banks, governance is still handled separately from risk management, which is separate from compliance. Each operates independently of the other, and therefore the critical information generated by each often is not shared. This failure to share can be both inadvertent—a poor understanding of what the other departments do—or intentional, as departments protect their siloed territory.
By comparison, GRC is the concept of taking those three critical functions and integrating them for improved performance. By synchronizing these three functions, the organization gains a more holistic view because key information is freely shared between departments, which helps the organization as a whole make better decisions and initiate activities that truly support its overall objectives and reduce overall risk.
For Years, GRC Has Been Gaining Traction in the Banking Industry
As early as 2007, Network World told its readers to “get ready for a new buzz phrase about to descend upon the IT department,” attributing GRC emergence to the fallout from major corporate implosions. “Up until the days of Enron, WorldCom, et al., governance took place quietly in the background. Now it has been thrust into the spotlight, and it is much more closely tied to risk management and compliance.”
Due to their size and complexity, large corporations and the too-big-to-fail banks heeded this advice as early adopters of GRC, but many smaller financial institutions could also benefit from understanding the GRC concept and applying it within their structures. If for no other reason, consider the uptick in regulatory fines among this market segment. The Wall Street Journal’s Risk and Compliance Blog of May 12, 2015, reported that “enforcement actions against non-compliant community financial institutions rose sharply in the first quarter of 2015, mainly due to increased regulatory oversight as more Dodd-Frank Act rules take effect, and because of an increased emphasis on anti-money laundering violations.”
There’s no evidence this upward trend in fines will level off any time soon. On the contrary, there are signs that it will continue to increase. In its April 2015 Financial Regulatory and Compliance Alert, Greenberg Trauring, a law firm serving the financial services industry, pointed out that “federal law enforcement and regulators have recently indicated that money launderers are increasingly moving to smaller regional banks and credit unions to avoid detection. Enforcement actions bear this out.”
Bringing governance, risk management, and compliance under one umbrella could be the answer that helps smaller institutions better protect themselves from that expensive pitfall.
The Link Between ERM and GRC
Enterprise Risk Management (ERM) has become the norm at financial institutions of all sizes, so how does GRC fit into the picture? When implemented effectively, GRC helps organizations take their ERM framework to the next level.
Mary Peter, an ERM consultant and member of the Risk Insurance Management Society (RIMS), makes the case for an ERM-centric approach to GRC. “ERM is an archway for the company to take a holistic approach for the company’s risk management and bridges the departmental risk management tools and processes. By clearly defining ERM as your framework and then bringing the governance, risk management, and compliance (GRC) together, the company can increase the strategic vision and direction to meet its goals.”
The Leading Benefits of GRC
The GRC approach provides several advantages. It improves operational efficiency and reduces the wasteful overlap that exists when individual GRC functions are kept separate, which has a positive impact on a bank’s growth and expense reduction goals. GRC also begets more accurate information generation and more effective and thorough information-sharing and report capabilities, helping banks better manage their compliance obligations and identify their risk points. As Network World described at the start of this movement, “GRC has evolved from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning.”
So, is GRC right for your institution?
Most likely, the key to answering that initial question is based on the cost and effort of implementing GRC. The good news, according to Tech Target, is that “a fundamental truth about developing a GRC program, or framework, is that much of what needs to be built into it is very likely already present in an organization. Unfortunately, they are likely isolated by discipline (e.g. audit, project management, legal, etc.) and unique to the business silo they are used to support.”
Banks using an automated and integrated enterprise risk management solution already have the most useful tool available for bringing all those existing resources together and adopting a GRC approach. An ERM system is already taking a holistic view as it collects, stores, analyzes, scores and reports on risk data. Once the functions of governance, risk management and compliance are integrated underneath that ERM framework, all pertinent information can more readily be shared and acted upon.
In addition, the integration of these three functions maximizes the effectiveness of other compliance tools and services, since the data and results from such resources are deliberately shared to inform the organization’s decision making. For instance, the results of a Penetration Test wouldn’t just remain within the IT and compliance departments. The governance and risk management functions also would have easy access to that information in order to make more informed strategic decisions and initiate tactical plans to improve information security.
The same is true of a Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Audit. When formerly disparate GRC functions are synchronized, the results of such an audit are purposefully filtered to all three areas. This allows the three to act in concert toward the organizational good: governance is better positioned to ensure the appropriate processes and controls are in place; risk management has the tools to better predict and manage BSA/AML risks; and compliance has the backing to more effectively carry out the institution’s BSA/AML compliance program. Given the rise in BSA/AML fines, that type of coordinated effort is a powerful message to share with regulators at exam time.
GRC Starts with a Conversation
Bottom line, a GRC initiative is not an overnight project. It’s a journey that starts with a conversation. Discuss its benefits among key institutional stakeholders (audit, risk management, compliance, financial, IT, legal, etc). Research GRC through independent sources, such as OCEG.org, a global non-profit dedicated to the topic. Finally, bring all your findings to your board of directors and ask—is GRC our answer for 2016?
Joe Wheeler is a strategic partnership manager with CSI. Joe has more than 20 years of senior management experience in the financial services industry. In his current role, he manages the strategic partnerships that are affiliated with CSI Regulatory Compliance. Throughout his career, he has worked with community banks and credit unions across the country to build strategic plans and business forecasts that fully incorporate risk management and compliance requirements.