Key characteristics of a federated GRC strategy

This tip is part of our Basel II risk management and implementation guide.

Governance, risk and compliance (GRC) are interrelated issues affecting financial service organizations. In the past, financial service firms have approached areas of GRC as silos -- credit, market, operational, legal and regulatory risks -- operated autonomously of each other.

GRC is about organizational collaboration
Conversely, financial service firms now strive to develop a more integrated GRC strategy that permeates an organization's processes, decisions and culture. That change demands the sharing of information, assessments, metrics, risks, investigations and losses, all in an effort to reduce business uncertainty and produce predictable results.

This kind of "federated" GRC initiative involves a number of professional roles -- the corporate secretary, legal, credit risk, market risk, operational risk, audit, compliance, IT, ethics, corporate social responsibility, and finance. Initial success of a federated GRC program can be measured by the presence of the following characteristics:

• Sustainability. Financial service firms demand a sustainable process and infrastructure for GRC requirements that are becoming more sustained and onerous. Further, financial service must assess their risk and compliance management practices on a continuous basis; with the speed of business, point-in-time assessments are no longer good enough. The dynamic nature of the financial services industry demands that an organization address GRC collaboratively and continuously.
• Consistency. Financial service firms require that multiple roles in the organization work together in an integrated framework. This requires that a common framework be in place so the varying business functions in a financial services firm understands where they fit and how they can share and collaborate data. GRC is getting everyone to play their different positions (roles within the enterprise) from the same playbook. Consistency provides a holistic picture of GRC so that the financial services organization can draw attention to disasters and capture opportunities.
• Efficiency. Redundant assessments and audit processes that look for similar information for different purposes are preventing enterprises from getting business done. GRC aims to ease the burden on business areas by leveraging common processes, assessments and information.
• Transparency. Financial service firms require transparency across key performance and risk indicators to monitor organizational health, take advantage of opportunity and avert or mitigate disasters. Corporate performance management is tightly related to risk management. When done correctly, performance and ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchFinancialSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchFinancialSecurity.com

  As an existing member of the TechTarget network please activate your SearchFinancialSecurity.com account 

  By joining SearchFinancialSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT Compliance and Governance Digest Shifting to a flexible information security framework Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Red Flags Rule and preparing for new regulations Companies lagging in PA DSS compliance Social media: Risk management strategies for financial institutions FFIEC guidance on RDC: Guidance overview FFIEC guidance on RDC: Risk management basics Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Risk assessment and management in financial institutions Don't forget the cleaning crew in your vendor management program Shifting to a flexible information security framework Threat of insider fraud growing with bad economy Social engineering tests should make sense, not headlines How to combat the insider threat ACH fraud on the rise, experts say Social media: Risk management strategies for financial institutions Podcast: Detecting and investigating insider fraud Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment

  RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  risk management are two sides of the same coin.

Developing a GRC vision
Once the above-mentioned points are used to determine the basic operational effectiveness of a GRC program, it's time to turn the focus toward long-term strategic planning. Financial services firms face a complex array of risk and compliance demands. The complexity of risk and regulatory demands, as well as the nature of extended and global business, require that financial service organizations reengineer how they approach silos of governance, risk, and compliance by leveraging processes and information across GRC related business processes.

Developing a successful, long-term federated GRC program involves taking the following steps:

Build your roadmap. This means identifying short-term and long-term action plans. In the short-term, focus on easy wins to show the value of GRC, as well as pressing GRC issues that the organization is up against (e.g., Basel II, Solvency II, MiFID). For the long-term develop a plan to integrate the siloed areas of GRC that are not as pressing, such as Sarbanes-Oxley or operational risk.

Conclusion
Ignoring a federated view of GRC in today's financial services environment results in business processes, partners, employees, and systems behaving like leaves blowing in the wind. Without a GRC strategy, different parts of the organization end up going in different directions in their respective GRC silos. This leads to wasted resources, inefficiency, a lack of transparency, and significant exposure to the organization. GRC aligns them to be more efficient and manageable. Inefficiencies, errors and potential risks can be identified, averted or contained. This reduces the risk exposure of the financial service firm and creates better business performance.

About the author:
Michael Rasmussen (mrasmussen@corp-integrity.com) is with Corporate Integrity, LLC. Michael is the authority in understanding governance, risk and compliance (GRC). He is a sought-after keynote speaker, author and collaborator on GRC issues around the world and is noted for being the first analyst to define and model the GRC market for technology and professional services. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research and analysis on enterprise governance, risk management and compliance.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.