John Wheeler, the founder of Atlanta-based consulting firm Wheelhouse Advisors, has spent a lot of time the last few years thinking about how knowledge management solutions can support the governance, risk and compliance (GRC) efforts of financial services firms.
As a consultant, Wheeler has seen financial organizations continue to spend more money on GRC than they should, because of inefficient, manual processes. Several years ago, as senior VP of SunTrust Banks' Financial Reporting Risk Management Group, he began the effort to integrate GRC systems. "I made the business case for how it could cut costs," he says. "I showed how it could streamline and get us off so many different platforms and reduce the number of people involved."
Other financial executives in charge of enterprise risk management and compliance are becoming increasingly interested in handling more of their GRC chores with a unified solution-an approach referred to as "integrated GRC"-instead of buying and running a number of different programs, which have difficulty sharing data.
"The struggle in financial services has been to enable senior management to get an all-encompassing view of risk," Wheeler says. "The financial crisis blindsided everyone about operational risks, and the regulators are now pressing financial organizations to have comprehensive enterprise risk management processes in place."
At SunTrust, Wheeler and his colleagues recognized the need for a solution to help with Sarbanes-Oxley controls. (The Sarbanes-Oxley Act of 2002 requires all financial reports to include a statement that adequate controls are in place to safeguard financial data.) "But looking forward, we recognized that we might as well have solutions for other risk areas," Wheeler says. "We set out to establish a risk management infrastructure with individuals responsible across all lines of business, and all working together and communicating."
As Wheeler and others have discovered, however, the numerous business lines in major financial services firms look at risk in so many ways that it is difficult to get them to agree on definitions.
The organizational issues are the biggest to overcome, according to Forrester Research analyst Chris McClean. "These groups have been doing risk and compliance forever, and if you tell them here's a new framework, they can and should be skeptical about it," he says. McClean is hearing from many financial services clients who say they see value from integrated systems. They typically cite three benefits:
- efficiency-Instead of sending someone out into five or 10 departments to gather information, they can much more easily aggregate that data and the reporting of it into a central location.
- risk reduction-They can see ways to remediate risk concerns across the enterprise more easily.
- strategic support-It can help organizations make better decisions. For instance, in a merger with a potential business partner, cost and performance come first, and risk usually comes in last. But how often business execs use risk and compliance data in those decisions can be a measure of the system's value.
Scott Wisniewski, director of global risk technology solutions at Protiviti, a consulting and internal audit company as well as a software provider, agrees with McClean that getting executives to agree on a common platform is half the battle.
Banks already have chief risk officers, chief financial officers, chief auditing executives and general counsels who are strong in this area, according to Wisniewski. "But the more people you have with this focus, the more who build their own domains," he says. They store information in Word documents and spreadsheets, or they might be using GRC products from different vendors.
"To the chief information officer, it makes no sense for these to be siloed systems," he says. "The IT group would like to simplify." But because there is no single person with total responsibility, adoption of integrated GRC systems has been slow, Wisniewski explains.
"We have been talking about this for four or five years, and it hasn't happened as quickly as vendors and consultants thought it would," he says, "even though people in financial services will agree that it makes a lot of sense." Even if you do get people to rally around the idea of integrated GRC, you still have difficulty getting them to agree on common terms and methodologies, according to Wisniewski.
"This is where enterprise knowledge management comes into it," he adds. Banks must pay attention to how they are assessing operational, market and credit risk, and how they are going to report on it across their business lines. With the "Too Big to Fail" provisions in the Dodd-Frank Wall Street Reform and Consumer Protection Act, banks must report on capital, leverage and liquidity, and that involves a very broad documentation exercise. And banks must deal with many other regulations, especially international ones.
With so many different regulatory environments, if you handle compliance for each business line individually and approach them for documentation, you will be paying more to do it and working with different teams of consultants and vendors, Wisniewski says. "Using a central platform gives you the ability to demonstrate what you do and to tell regulators a clear, clean story rather than handing them a bunch of spreadsheets." It also allows you to more easily gather information about regulatory content changes relevant to your own business context and drive alerts to the right personnel.
Ironically, although the financial crisis highlighted the need for better GRC solutions, it also forced budget cutbacks for such major software initiatives, which can cost more than $1 million. "With the financial crisis, those projects slowed down, and people pulled back to basics," McClean says. "But now we are seeing it pick back up again."