Key takeaways

  • With substantial penalties for getting risk management wrong, companies need to enhance their risk maturity levels.
  • For diverse organisations, different risk profiles for different areas can make assessing risk profiles across the enterprise difficult.
  • Governance, risk and compliance software is aiding business in uplifting their risk culture and keeping them on the right side of expectations and regulation.

What’s your organisation’s risk profile?

Is it the same in legal as it is in IT? What about in sales or finance? In large organisations, these profiles can be quite diverse, making it hard for leadership to get a good grip on where the business sits holistically when it comes to compliance and risk.

That’s a problem. Governance, risk and compliance (GRC) aren’t matters of ticking boxes or pacifying regulators, they’re fundamental to how an organisation works, its culture, decision-making, customer experiences and ultimately, its success. Without visibility across the business, it can be easy to get off track, be misinterpreted or misunderstood, and potentially, cause a great deal of damage to your customers or brand. But there are technology solutions to help with this difficult but important task.

GRC software and platforms allow executives and boards to see where they stand when it comes to risk, evaluate what’s effective and what isn’t, and ensure that down the road they face happy, satisfied customers, not financial penalties, resignations and PR disasters.

The reality of risk

In 2017, the Australian Government established the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry after allegations of customer gouging, rorting, market manipulation, money laundering, terrorist financing and a failure to comply with statutory reporting was reported in Australian financial institutions.1 It was an example of what happens when governance, risk and compliance goes very wrong.

According to the final report, the evidence heard during the inquiry “showed that too often, boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks.”2

Further, the report stated, it was not about providing boards with more information, but providing them with the right information they needed to discharge their duty around “issues about breaches of law and standards of conduct, and issues that may give rise to poor outcomes for customers.”

This is not to say, of course, that risk is a matter solely for boards and senior management. As the Financial Stability Board notes in its Guidance on Supervisory Interaction with Financial Institutions on Risk Culture, weaknesses in risk culture are often ‘a root cause’ when it comes to the actions and decisions individuals within an organisation make, whereas a sound risk culture and strong risk governance framework will support risk awareness, good behaviour and the making of sound-judgements when it comes to taking risk.3

For boards, however, the Commission made clear that regulators should be more litigious in their enforcement, with the consequences for directors of misconduct in their organisations likely to be more profound and more public with a greater likelihood of criminal and civil proceedings, reputational impact and loss of directorships.

Why GRC is difficult for business

Understanding uncertainty and having processes and people in place to ensure that an organisation is adhering to policies and regulations is more complex an issue than it might seem. For diverse organisations in particular, the risks (and risk appetite), compliance requirements and governance can be quite different and require visibility at multiple levels.

Risk management is also often addressed retroactively via monthly leadership meetings rather than being an ‘always on’ dynamic and embedded approach across the organisation. Multiple technology systems are at play in many cases, with limited functionality to support or track problems, controls or tasks.

Additionally, reporting in many companies is done manually, relying on individual and often junior staff to put spreadsheet summaries together (which assumes, of course, that they know what to flag) based on risks defined by leaders above them, pushing the responsibility of risk and the reporting of it into separate spheres within the business. And with no way of knowing who knew what, when, or what controls were implemented, updated or followed, auditability becomes impossible not to mention an afterthought rather than something frequently measured and embedded in culture.

Not having a central view of risk across the whole business, especially for those at the C-suite and board level is perhaps one of the riskiest propositions of all, as it removes visibility over how governance and compliance is happening in every department and at every level of the organisation and assumes, with potentially serious consequences, that all employees have a shared understanding of sound risk practices and their ownership over control environments.

Taking risk digital

As with ‘going digital’ in most areas, the benefits of employing the right technology in the right way will not only alleviate many of the burdens of legacy ways of working, but it will also enable greater possibilities for the business as a whole.

GRC software such as LogicGate, IBM’s OpenPages, Highbond, MetricStream , RSA Archer or ServiceNow Governance Risk and Compliance come in many shapes and sizes, from those that manage specific processes or risks (eg. cyber, data) through to enterprise solutions that include GRC as part of larger integrated workflow platforms. They address many of the issues faced when it comes to GRC and can greatly improve the risk maturity of a business.

Not only do many of these platforms provide ongoing monitoring and reporting tools to digitise the way things were done before, they also step up the quality of the information surfaced. They include features such as continuous controls and process monitoring, policy management, access and privilege controls, version control for audit traceability, and incident management. This means that the volume and, more importantly, critical nature of the risk data seen is far more useful than what can be contained in a monthly static snapshot

Automated dashboards allow risk data to be visible, and comprehensible, to a greater number of employees, and can often be filtered from individual department level up to the whole business. While the IT department may see that they are 80 percent compliant, the CFO may note that the business as a whole is only 30 percent compliant prompting further investigation into where controls may be falling down.

This visibility, and granularity, fosters ownership and accountability across the business, with problems (and ownership) visible, and interrogatable to all if desired. Decisions made in siloed risk cultures become quickly obvious across the greater departmental or, ideally, single enterprise view. In turn, this supports a consistency of approach and controls to risk (which, if integrated with workflow management can be further standardised) and provides a sound risk culture uplift across the organisation.

Further automation benefits are evident in the integration of compliance with business and policy objectives. For example, with one financial services client, we integrated a GRC platform with third party providers of legal, regulatory and IT control information so that any changes or updates made to regulation which affected risk controls were flagged for impact assessment.

Non-risky business

While a risk tool alone won’t give an organisation the maturity uplift it needs, especially without a risk transformation program, with the right data and processes to feed into it, a contemporary GRC platform will go a long way in enabling strategic decision making from an informed risk foundation.

Given the reputational, financial and executive leadership damage done in the wake of the Royal Commission’s findings into financial institutional misconduct, it should be clear to any of today’s business executives that it is time to step up their approach to risk management.

Remaining compliant, however, should not be seen as an exercise in ensuring that an organisation plays within the lines of what’s allowed.

Instead, it should be seen as an opportunity to understand the effectiveness of an organisation’s risk culture, its respect for customers, commitment to safe conduct, accountability of employees and executives alike, and the ability to proactively assess risk. In turn, such an approach will pay dividends with customer trust, stakeholder confidence, and provide, with decision-making made off the back of sound information, a competitive advantage in the market.

 

Contributor

Robert Vine

Robert is a director in Financial Services in PwC Australia’s Consulting business.

More About Robert Vine

Contributor

Tessa Smith

Tessa is a partner in Technology Delivery Services in PwC Australia’s Consulting business.

More About Tessa Smith