Enabling GRC solutions for risk management

Risk management functions at financial institutions have typically relied on the same technology solutions for their organization for many years. Today, when risk management functions are faced with managing increased regulatory scrutiny and decreased budgets, many leaders are looking for new solutions, which can provide greater efficiencies and risk insights for holistic risk management. Specifically, we’ve seen firms question whether their current technology solutions: 

• Create meaningful value and insights for their institution, or are they merely check-the-box activities
• Are mature enough for the size and complexity of their institution
• Are adaptable to the institution’s evolving process or program requirements
• Are compatible with, and can drive value from, cloud services
• Rely on customization of certain capabilities that are standard with other providers

In response, firms are evaluating their existing systems or implementing new governance, risk and compliance (GRC) platforms. Such endeavors promise substantial benefits but are not without their limitations. Our clients face challenges, which often reflect the root of an organization’s current challenges with their GRC platforms, such as: 

• Risk processes that lack the necessary definition and repeatability to reap the benefits of a GRC solution
• Business and functional requirements that are not clearly defined or fail to consider future growth, expansion or potential for change
• Lack of communication and coordination among stakeholders
• Inadequate training and support for platform users 
• Adoption of a one-solution-fits-all approach when the organization’s needs may be better served by other solutions or tools

We have deep experience helping institutions push through these challenges and establish GRC solutions that drive sustainable value in managing risk.

GRC solutions are technology platforms that provide a modular and integrated approach to handling risk-management-related processes and activities. They typically include these capabilities, which may be offered or embedded in a variety of modules:

Risk data repositories: Include inventories of risks, regulatory requirements, business entities, processes and controls policy management. It also encompasses the development, publication and maintenance of organizational policies and governance procedures

Change management: Covers regulatory change, new or modified products and services, and issue management

Risk assessment: Entails risk and control self-assessments, enterprise risk assessments and compliance risk assessment

Risk measurement: Covers key risk and performance indicators, risk appetite and operational losses

Risk oversight: Entails monitoring and testing of risks, regulatory requirements, processes and controls

Business continuity and disaster recovery: Covers assessment, plans and test results for business continuity and disaster recovery programs

Third-party risk management: Includes initial risk assessment through termination of third-party relationships

Model governance: Covers model risk management and AI governance

Separate tools and solutions are generally used for other risk management-related processes and information. These include regulatory change horizon scanning and content, reporting, skills and staffing, training, technology incident management, complaints management and job aids or knowledge base articles.

GRC solutions primarily provide institutions the opportunity to:

• Enforce policy and program requirements through defined channels for identification, documentation and decision-making relative to specific matters
• Manage workflow and prioritization of effort
• Realize efficiencies and reduce risk of error
• Enable improved risk insights, data aggregation and analysis
• Visually indicate compliance using an icon showing a bar graph with a checkmark

Example: Testing and issue management

GRC solutions can help with two key processes: testing and issue management. Both are driven by two types of data, namely, foundational data and activity-specific data.

Foundational data includes certain characteristics that apply to each module, such as the entity (for example, does this task refer to the institution’s broker-dealer or their bank?), the applicable risk (for example, does this task refer to operational risk or compliance risk?), or the regulatory requirement (for example, does this task relate to regulation B or regulation E?).

The GRC solution can drive integration and efficiencies in task execution by using consistent foundational data across all modules.

Activity-specific data refers to data that is related to a certain task, such as the result of a testing activity or the disposition of an issue. The GRC solution can drive deeper analysis by using the foundational data to make connections between the activity-specific data. For example, a finding from a testing activity related to regulation B might need the opening of an issue related to regulation B. While previously, such a connection would be dependent on manual processes and conclusions, a GRC solution can drive these realizations and promote stronger risk management.

Foundational and activity-specific data flows between testing and issue management. When testing activities yield results requiring the opening of an issue, the activity-specific data for the issue is generated by extracting data from both the activity-specific data for the test result and the foundational data stored and shared across risk processes.

The information graphic shows how testing and issue management draw from foundational data. 

By driving efficiencies and meaningful insights through their GRC, institutions can expect tangible outcomes such as:

• Enhancing visibility into the latest regulatory changes and how to manage their impacts
• Creating consistent aggregated views of risk across the entire organization, rather than in siloed operations
• Tightening accountability and ownership of enterprise risk and compliance processes
• Reducing the likelihood of unexpected risk events

These outcomes are contingent upon appropriate implementation of the GRC solution.

Institutions’ structure, operations and regulatory landscapes vary widely. Successful GRC implementation involves tailoring solutions to the specific objectives, risk appetite and organizational complexity of each institution. This approach emphasizes adaptable and customizable GRC solutions that can effectively grow with the organization. To drive maximum value from their GRC solution, we advise our clients to take this implementation approach:

Understand and enhance risk management capabilities. GRC solutions require an institution’s governance, risk and compliance management capabilities to be at a certain baseline to enable and ultimately maximize value. For example, institutions need a mature issue management program where issues are appropriately identified, managed and remediated, to enable issue management modules. Firms must assess and enhance their existing capabilities, as necessary, prior to implementing a GRC solution.

Identify business requirements. Institutions should develop a business requirements document articulating what the GRC solution needs to enable both for overall integration and within each risk management capability. This approach is beneficial when evaluating and selecting potential solution providers and can reduce the risk of cost and timeline overruns.

Review and select providers. Firms should take the time to meet with providers to understand the nuances in their capabilities and financial considerations to determine the best fit. Depending on the needs of the organization, more than one provider may be preferred to best meet overall and specific business objectives.

Pilot phase. Piloting a GRC solution at select business units can identify and remediate issues and shortcomings before the tool is introduced to the entire institution.

Full implementation. Full rollout of the tool should include a comprehensive training program to educate users and postimplementation testing to ensure that the tool is meeting business requirements and enabling effective management of risk. 

IBM Promontory experts have a comprehensive understanding of the diverse landscape of GRC solution providers and services. We recognize the nuances and functionalities offered by various GRC solutions, from established providers to emerging players, and have advised institutions of various sizes and complexity on identifying the solution(s) that work best for them. 

IBM Promontory has deep experience providing support to institutions before, and during, the implementation of virtually all GRC solutions in the market. This expertise extends to systems that may not conventionally fall under the GRC category but are desired by clients for their GRC functionalities. 

Enabled by IBM and IBM partner solutions and supported by IBM Consulting, IBM Promontory experts can help clients through: 

• Assessing and preparing risk management programs and processes for GRC solution selection and implementation 
• Developing business requirements that identify what the GRC solution needs to enable and why
• Evaluating and advising clients in their selection of potential GRC solutions
• Considering other tools or solutions in tandem with GRC, such as workflow tools (for example, SharePoint, Salesforce, IBM watsonx™ and Pega), reporting tools (such as Tableau, Power BI and IBM Cognos® Analytics) or content providers (for example, for regulatory change horizon scanning and content intelligence)
• Enabling end-to-end implementation of GRC solutions, including training, socialization and reporting