Problem solve Get help with specific problems with your technologies, process and projects.

Key characteristics of a federated GRC strategy

A federated GRC program involving numerous roles and business units can effectively help a financial services organization avoid ineffiencies and potential risks. In this tip, GRC expert Michael Rasmussen offers a basic litmus test to ensure that a corporate GRC program is functioning properly, and offers guidelines for scoping out a long-term GRC vision.

This tip is part of our Basel II risk management and implementation guide.

Without a GRC strategy, different parts of the organization end up going in different directions in their respective GRC silos.
Governance, risk and compliance (GRC) are interrelated issues affecting financial service organizations. In the past, financial service firms have approached areas of GRC as silos -- credit, market, operational, legal and regulatory risks -- operated autonomously of each other.

GRC is about organizational collaboration
Conversely, financial service firms now strive to develop a more integrated GRC strategy that permeates an organization's processes, decisions and culture. That change demands the sharing of information, assessments, metrics, risks, investigations and losses, all in an effort to reduce business uncertainty and produce predictable results.

This kind of "federated" GRC initiative involves a number of professional roles -- the corporate secretary, legal, credit risk, market risk, operational risk, audit, compliance, IT, ethics, corporate social responsibility, and finance. Initial success of a federated GRC program can be measured by the presence of the following characteristics:

  • Sustainability. Financial service firms demand a sustainable process and infrastructure for GRC requirements that are becoming more sustained and onerous. Further, financial service must assess their risk and compliance management practices on a continuous basis; with the speed of business, point-in-time assessments are no longer good enough. The dynamic nature of the financial services industry demands that an organization address GRC collaboratively and continuously.
  • Consistency. Financial service firms require that multiple roles in the organization work together in an integrated framework. This requires that a common framework be in place so the varying business functions in a financial services firm understands where they fit and how they can share and collaborate data. GRC is getting everyone to play their different positions (roles within the enterprise) from the same playbook. Consistency provides a holistic picture of GRC so that the financial services organization can draw attention to disasters and capture opportunities.
  • Efficiency. Redundant assessments and audit processes that look for similar information for different purposes are preventing enterprises from getting business done. GRC aims to ease the burden on business areas by leveraging common processes, assessments and information.
  • Transparency. Financial service firms require transparency across key performance and risk indicators to monitor organizational health, take advantage of opportunity and avert or mitigate disasters. Corporate performance management is tightly related to risk management. When done correctly, performance and risk management are two sides of the same coin.

Developing a GRC vision
Once the above-mentioned points are used to determine the basic operational effectiveness of a GRC program, it's time to turn the focus toward long-term strategic planning. Financial services firms face a complex array of risk and compliance demands. The complexity of risk and regulatory demands, as well as the nature of extended and global business, require that financial service organizations reengineer how they approach silos of governance, risk, and compliance by leveraging processes and information across GRC related business processes.

Developing a successful, long-term federated GRC program involves taking the following steps:

  • Get executive sponsorship. Financial firms that try to build their GRC strategy from the "bowels" of the organization face continual struggles, typically in the form of internal political issues where GRC becomes a hydra with multiple heads going in different directions. It comes down to a matter of control as these different political heads vie for a leadership position in the GRC strategy. Executive sponsorship alleviates this by establishing a top-down direction. However, the bottom-up strategy still needs to be kept in perspective, as it is the people in the trenches that ultimately need to work in a consistent approach to GRC.
  • Define scope and roles. GRC is more than enterprise and/or operational risk. A successful GRC strategy within a financial firm is going to start conversations with all the stakeholders in GRC-related domains. Bringing these roles to a collaborative discussion and approach to GRC is what federation is about. A successful GRC strategy starts with defining the charter and vision for GRC and identifying the breadth of business processes and roles that will be incorporated into the GRC strategy.
  • Inventory current systems and processes. Getting the roles of GRC together leads to the next step of understanding how disparate GRC processes and systems have been implemented. Financial firms should undertake a detailed inventory of GRC-related processes, systems and technologies to identify where redundancy occurs and establish points of integration.
  • Build your roadmap. This means identifying short-term and long-term action plans. In the short-term, focus on easy wins to show the value of GRC, as well as pressing GRC issues that the organization is up against (e.g., Basel II, Solvency II, MiFID). For the long-term develop a plan to integrate the siloed areas of GRC that are not as pressing, such as Sarbanes-Oxley or operational risk.

    Ignoring a federated view of GRC in today's financial services environment results in business processes, partners, employees, and systems behaving like leaves blowing in the wind. Without a GRC strategy, different parts of the organization end up going in different directions in their respective GRC silos. This leads to wasted resources, inefficiency, a lack of transparency, and significant exposure to the organization. GRC aligns them to be more efficient and manageable. Inefficiencies, errors and potential risks can be identified, averted or contained. This reduces the risk exposure of the financial service firm and creates better business performance.

    About the author:
    Michael Rasmussen ( is with Corporate Integrity, LLC. Michael is the authority in understanding governance, risk and compliance (GRC). He is a sought-after keynote speaker, author and collaborator on GRC issues around the world and is noted for being the first analyst to define and model the GRC market for technology and professional services. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research and analysis on enterprise governance, risk management and compliance.

  • Dig Deeper on Data breaches and prevention strategies

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.