GRC traditionally used to be siloed, and the technology underpinning it, monolithic. Simply put, in the age of cloud, AI/ML, and microservices, this is no longer a viable option for companies that wish to rise to the opportunities of the new world and deliver, opines Jaya Vaidhyanathan, CEO, BCT Digital, in a detailed interview
Some edited excerpts:
How is the nature of varied risks encountered by organizations and financial institutions shifting in the changed circumstances?
Post the global financial crisis of 2008, risk management as a function has evolved in shape and form, becoming a business imperative. Fast forward to 2021, and our world is going through a series of dramatic changes, as the ripple effect of unprecedented and potentially catastrophic events, like the COVID-19 pandemic. As a consequence, the global landscape of Governance, Risk, and Compliance (GRC) is becoming increasingly complex. Every day, more pertinent risks are emerging, challenging the way businesses are used to operating until now. Of course, the more conventional risks, such as financial and operations risks, are still business-critical. But today, CXOs also need to be wary of relatively newer risks and consider them on equal footing.
A few examples of newer risks include:
– IT risk – triggered by changes in the technological landscape, including an explosion in the number of operating systems and their variants thereof, the newer form factors of mobile/wearable devices which may not have been envisaged previously are now key
– Data Privacy – a risk that has been in existence for some time now, but one which has assumed gigantic proportions since 2020, due to the forced remote working conditions
– Cyber security risk, also gaining prominence due to distributed working and service delivery in recent times – something which even the Reserve Bank of India has highlighted as a key risk in its Financial Stability Report in January 2021.
– ESG – With increasing awareness on issues such as climate change, activism around ESG cannot be dismissed as mere agenda driven, but should be seen as something having a bearing on the market capitalisation of the business, with even fund houses incorporating ESG in filtering criteria for investing.
– Business Continuity – Shorter business cycles and disruptions of multiple kinds – natural and man-made make business continuity risk a key monitoring parameter.
– Conduct risk – relating to the behaviour of employees, which could have a material impact on the business, due to quick word of mouth through social media.
Next-generation risks require next-generation risk management practices. Financial institutions, for one, need an integrated GRC framework to ensure they can effectively navigate procedural complexities and maintain a sustainable and profitable market standing. But bringing this multi-layered framework into an organization and ensuring its cohesive deployment is easier said than done.
What are the challenges faced by organizations with respect to governance, regulatory, and compliance and how can they be tackled?
GRC is by no means a new concept; a lot of companies already have legacy systems aligned to the existing risk landscape. But in a heavily digitalized economy, risks are not only higher, but also diverse. This sheer diversity implies a re-imagining of the way we currently deal with risks.
The challenges faced by organisations in this scenario are as follows:
– Increasing compliance requirements: With tightening regulation in each geography as well as geographical expansion of corporates across regulatory regimes, the sheer number of regulatory compliance requirements is huge today, which makes adherence to them, and tracking the same, very challenging.
– No single view of risk: Lack of an organization-wide imperative means most conventional GRC practices are running in siloes and do not sync up with broader strategic goals. In the modern-day context, GRC is the pulse of an organization. Not only does it need to be comprehensive, but it also needs to touch all layers of an organization.
– Quantification of Enterprise Risk: The Basel III guidelines improve upon previous AMA (Advanced Measurement Approach) with the revised standardised approach to a capital calculation for operational risk, using organisation size and past losses for capital computation. This means that organisations need to have a repository of past loss data maintained transparently.
While the specific challenges concerning GRC are outlined above, the overarching message is that the market is watching how organisations manage enterprise risk, thereby directly having an impact on shareholder value. This is a very good reason for organisations to take GRC seriously, as a core business function rather than relegating it to traditional audit activity.
How is the significance of effective GRC strategies rising for organizations and their stakeholders?
The success of any business today lies in its ability to transform overnight. Agility is everything in a risk-prone world, where the rules of the game are rapidly changing. Add to this the pressure of rapid regulatory changes and high penalties for non-compliance, the need for GRC to become a more fluid and dynamic framework becomes self-explanatory.
GRC traditionally used to be siloed, and the technology underpinning it, monolithic. Simply put, in the age of cloud, AI/ML, and microservices, this is no longer a viable option for companies that wish to rise to the opportunities of the new world and deliver. An agile GRC framework would be an integrated, enterprise-wide solution involving all three layers of defense of an organization. An effective GRC strategy would bring together diverse and complex stakeholder perspectives into a unified format that is dynamic and scalable to regulatory requirements. Some of the more competitive players of our era are already aggressively deploying GRC frameworks making use of aforesaid technologies to make them more effective and intuitive. In many instances, the results have been outstanding.
How can technology positively influence GRC strategies towards increasing their effectiveness?
Technology is already proving to be a strong enabler in driving organizations to expected results. We discussed how new GRC tools and technologies have been connecting the three lines of defence within any business.
Innovative GRC frameworks, which rely on the latest technologies, like AI and analytics, are the answer to organizations’ call for paradigm-changing solutions. For instance, moving to a cloud-based architecture facilitates the use of microservices that can help contain operational costs. Predictability can be improved through AI/ML, while limiting silos, enabling data visualization and advanced reporting. Such technologies simplify GRC across the organization while engaging stakeholders uniformly. This achieves two goals – better compliance at lower cost, and a 360-degree view of risk across the organisation. Investment in technology is not a good-to-have, but a must-have, to track new-age risks such as cyber security risks.
Interestingly, for such a formidable area, a lot of technology players have already penetrated the market. The GRC market is quite heterogeneous today. There is no one comprehensive solution, but several point solutions exist that underpin organizations’ efforts to effectively adopt GRC. What is truly ingenious is how effective these point solutions have been in bringing integrity and cohesiveness into an otherwise fragmented state of play – contrary to what one would expect.
How does BCT Digital leverage AI/ML and predictive analytics to enable organizations to manage varied risks and drive digital transformation?
GRC remains a time-consuming and expensive task for most organizations. For one, it requires a specialized skill set. Risk data is stored across disparate formats and processed manually. Getting relevant and structured on-demand information to stakeholders in real-time is highly challenging. The current regulatory climate and procedural complexities add to these challenges.
The GRC suite of BCT Digital’s rt360 risk management suite supports enterprise-level management of governance, risk, and compliance. rt360 as a complete risk management solution is custom-designed by risk practitioners and technology specialists using a ‘business-first, technology next approach empowering organisations to focus on their growth while managing their risks. It is available on the cloud, on-premises, or as a hybrid solution, which not only allows users complete flexibility but also brings significant cost benefits. A completely automated risk product suite, run by sophisticated AI/ML algorithms, and built on flexible microservices architecture, the rt360 GRC suite empowers organisations to effectively manage their GRC requirements.
Please elaborate on the innovations and nuances in risk management and tech transformation of the banking industry in the new normal?
The rapidly evolving technology scenario brings several changes to the way we perceive and manage risks. This movement is spearheaded by the emergence of technologies like cloud and microservices, which are making it easier for organizations to customize to their unique requirements. Particularly, while every organisation may have different GRC requirements, there is an increasing push towards a single enterprise-level GRC platform that can give a comprehensive view of risk across departments and levels. This is important in the context of new business realities that may introduce risks in different areas which may be related to each other – lockdown induced remote working resulting in heightened IT risk as well as third party risk, for example. This, in turn, requires some enablers in the underlying technical architecture to achieve the desired scalability and flexibility. Some of the underlying technologies that are enabling tech transformation in banking are:
• Microservices architecture: GRC frameworks are becoming more modular, thanks to microservices-based architecture that makes customizing simpler and faster
• Risk library and workflows: An organization’s GRC framework needs to be aligned to a well-maintained repository of risks and reusable assets to further improve responsiveness and agility. Better visibility and stakeholder involvement across the organization are enabled through a comprehensive workflow management system
• Cloud, analytics, and AI: We discussed how moving to the cloud can help organizations better manage their operational costs. Adding AI/ML and predictive analytics to the mix can dramatically enable higher predictability and accuracy
• Higher security: The evolving technological facade brings home more sophisticated risks and frauds. Cyber security is paramount to helping organizations maintain the sanctity and confidentiality of their business-critical competitive data and systems.