GRC Solutions Imperative as Banks Face Regulatory Change

by FEI Daily Staff

When Dodd-Frank passed, many banks invested in GRC platforms to manage the new requirements and their operational impacts.


Anyone remotely involved in politics or legislative affairs may be reading omens, signs from above, and tea leaves in an attempt to predict where the next year will take us, policy-wise. Depending on the outcomes of Presidential and Congressional elections, we could see a profound shift in the regulatory landscape.

Representative Jeb Hensarling (R-Texas) gave us a preview of what may come when he put forth the Financial Choice Act. Hensarling characterizes the FCA as a “market-based, equity financed Dodd-Frank off-ramp.” Since its inception in 2010, Dodd-Frank has had its share of detractors, who believe it overreaches and has negatively impacted banks and American consumers. The FCA, while highly unlikely to pass in this Congressional session, could come to fruition in some form in the next year if Republicans gain control of the White House.

Change Is a Constant

Whether or not you agree with the concept of “too big to fail” or keeping investment, mortgage lending, and consumer banking activities separate, it will pay to follow the discussion around FCA and the potential reform of Dodd-Frank. You may not hear much from TV pundits about what it means to banks and their operations, but as with any major pending reform, it’s important to stay informed and proactive. If the FCA or something like it passes, how are banks going to ramp up to adopt the changes? How will they change their policies and communicate to vendors, employees and customers? How will they prepare to move quickly to take advantage of broader options, and manage the new set of risks associated with their new opportunities?

Prepare for Proactivity

The financial services industry was forced into massive and sudden changes when Dodd-Frank passed. This was complicated for many institutions. Many banks chose to manage this change using office tools and first generation governance, risk management and compliance (GRC) platforms. Office suites proved to be cumbersome and used a lot of manual processes costing banks millions of dollars to comply with Dodd-Frank. First-generation GRC platforms provided some cost relief and brought structure to the compliance and risk management processes, but these tools proved to be rigid and were difficult and expensive or impossible to upgrade and change as time passed.

The proposed changes in FCA will likely have a similar disruptive impact if it passes - especially for banks that continue to manage their compliance efforts with office suites and first-generation GRC platforms. The question now is "will banks play the wait and see game?" with the end of Dodd-Frank and its replacement (which may or may not be FCA). Or will they see this time of constant change and potential upheaval as a compelling reason to finally mature their risk management and compliance capabilities?

We may not be able to predict the outcome of Election 2016, but we can be confident that Congress, the SEC, OCC, FDIC, FRB, and various states and foreign countries will continue to make regulatory changes that directly impact banking compliance programs. Beyond compliance, there are interconnected and ongoing challenges related to information governance, risk management, cybersecurity and consumer data privacy. Disruption from fintech upstarts, mobile payment technology, identity fraud, and international upheaval mean challenges are never in short supply.

Financial institutions are finding it increasingly imperative to adopt a comprehensive framework that integrates compliance, security, risk management and strategy efforts across the enterprise. Gaining a holistic view of all compliance and risk activities across operations and vendors helps manage the risks that can destroy value and reputation.

Audit Readiness

One of the most important reasons to be proactive and prepared is to avoid surprises during audits. Time and resources wasted on inefficient manual compliance and audit processes can mushroom quickly, cutting into profits and pulling focus away from customer-centric activities. When it comes to audit preparation, GRC solutions encompass the entire compliance lifecycle, systematizing and automating processes to reduce redundancy and human error. Process maturity is enhanced when repeatable procedures are standardized, regularly tested, and automatically remediated. The solutions automatically generate audit work papers and tasks using pre-prepared compliance content, streamline the gathering of evidence and remediation actions, identify risk and control owners, manage audit projects, prioritize audits by risk, match auditor skills to audits, and more.

GRC platforms cut the time of these audit activities from weeks and months to hours and days - improving the per audit cost exponentially, allowing for more and deeper audit analysis, and allowing time for more and higher priority audits. Integrating the audit process into the risk and compliance management process additionally can improve the relationship between all three lines of risk management defense.

Why GRC?

When Dodd-Frank passed, many banks invested in GRC platforms to manage the new requirements and their operational impacts. In 2010, GRC technology was nascent, expensive to customize, and difficult to operate and upgrade. Because of these complexities, many banks developed workarounds instead of upgrading their GRC platforms. Many still have dedicated teams that perform GRC tasks manually. To address the need for better solutions, a few companies have built next-generation GRC platforms that are easier to operate, customize and update in response to changes. The integrated approach of a comprehensive GRC solution helps banks (and many other enterprises) be more proactive about managing regulatory changes, seizing market opportunities, and streamlining operations.

Next-generation GRC platforms create centralized and streamlined repositories of records, policies, and compliance documents, enhancing collaboration and breaking down the information silos that hinder efficiency and visibility in many financial enterprises. These solutions also include continually updated content libraries housing hundreds of laws, regulations, industry standards, best practices, and contractual obligations. Policies can be checked against all relevant requirements for gap analysis, and mapped to risks and controls. Awareness events can be sent to stakeholders to socialize policies and track acknowledgement. Key performance indicators can be pulled in from across the enterprise (including third parties) and run through the platform’s analytics engine to measure KPI trends against key risk indicators.

In an environment characterized by rapidly emerging technology, globalization, sophisticated cyber threats, and volatile politics, defensive measures have to be robust and integrated. A full-featured, comprehensive GRC platform lays a strong foundation across the enterprise for proactive compliance and intelligent risk management programs. In the event of fundamental changes, whether FCA or something yet to be seen, companies with the right technology and processes in place will be able to face complex challenges while sustaining competitive advantage and operational excellence.


 Sam Abadir is the Director of Product Management at LockPath, a leading provider of governance, risk management and compliance (GRC) solutions.