Governance, risk and compliance (GRC) priorities for 2016

03 March 2016

Even as the governance, risk and compliance (GRC) industry focuses on convergence as a way to simplify, enhance and accelerate GRC programs, it is essential that GRC stakeholders acquire the ability to manage unique workflows and adapt to relevant changes in technology, regulations and business profiles.

Here are three key considerations organisations should keep in mind as they approach convergence this year:

Organisation risk management needs to be more agile.
One of the dominant GRC themes we see is the need to manage risk with greater agility. Increased regulatory expectations and the ongoing emergence of new risks represent a new, permanent operating paradigm. For many organisations, the status quo approach has been to adapt by expending significant time, money and resources to implement individual solutions that make limited use of information from other assurance functions and do not feed into a more holistic risk picture. 

A better approach – an agile approach – is flexible and nimble enough to respond to the changing environment effectively and efficiently, before evolving risks can have a major impact on customers, shareholders and employees. By aligning the organisation and enabling informed executive decisions, agile risk management will enable successful anticipation and response to a rapidly-changing environment, resulting in greater operational excellence and customer satisfaction.

Organisation risk management needs to be more agile

Fundamental to creating an agile risk management framework is implementing technology and processes that create a unified operating model for business management and risk management, with clear first-, second- and third-line of defense accountability.

Organisations will more aggressively pursue GRC convergence, but in doing so, they must not forget the basics with regard to people, processes and technology.
According to the fashion idiom “everything old is new again,” fashions go out of style, then come back with a modern twist. In 2016, organisations will need to refocus on the basics of people, processes and technology. In a world in which rapidly released whiz-bang technologies promise to solve all problems, too many companies tend to buy a new technology before they have created an adequate GRC framework that addresses these foundational elements of the business. This has to be a framework that takes into account the needs of all stakeholders, that anticipates the end state of the business processes they want to support and that can grow and adapt as their risk profile changes.

The good news is that modern GRC applications are far more extensible and configurable than they used to be, such that organisations’ integrated GRC frameworks can be supported by a number of platforms. But it is imperative that this not be taken as a license to “put the cart before the horse” and take a technology-first approach.

To implement new technologies successfully, organisations need to get back to first looking across the five other key elements of their GRC infrastructures: the organisation of the business, the policies that need to be implemented, the processes that need to be supported, the methodologies to be used and the reporting requirements. Once this is done, the right technology can be implemented to ensure an agile, scalable environment that effectively supports the organisation’s changing needs.

Protiviti - GRC priorities for 2016

Organisations are well served to leverage existing infrastructure as part of their convergence strategy.
To respond to risk with agility, organisations need a harmonised GRC framework that allows for differences among stakeholders. They also need a foundational technology architecture that supports bringing different stakeholder groups together to share GRC process information – while allowing differences to exist and providing key capabilities that relate to a particular domain.

To achieve this, organisations – and the GRC industry in general – need to realise there is no one-size-fits-all solution. And while it’s important to converge GRC activities as much as possible when there is true synergy, most organisations will need to continue to rely on different existing systems that meet their particular needs. As a result, GRC committees tasked with coordinating multidisciplinary efforts will be well served to consider elements of their existing infrastructure that can provide an overlay of workflow and reporting that allows different systems to complement each other and enable holistic management dashboards.

For example, findings and actions management is a good example of where synergy and differences may exist across stakeholders. Whereas individual assurance functions typically have a need to log issues in their specific documentation system, these issues may be promoted to an enterprise issue management system – such as a centrally designated GRC platform or SharePoint – to provide business owners with a single place for acting upon their assigned issues.

Yes, convergence will be a key GRC theme in 2016, but it is essential for organisations to take a smart approach to convergence in order to increase agility and drive down costs while ensuring that all GRC stakeholders will have the workflow and reporting solutions they need.

An article from Scott Wisniewski, Managing Director Risk Technologies at Protiviti.


An 8-step framework for banks to prepare for FRTB changes

02 April 2019

With FRTB expected to come into force in 2022, it is critical that banks implementing necessary changes remain on track for their compliance timelines. Whether a company is aiming for the mandatory Standardised Approach (SA) or the voluntary Internal Models Approach (IMA), the programs often represent a significant investment, requiring process, systems and cultural change. 

Drawing from its experience in helping banks meet the milestone set in their compliance timelines, Capco – a management and technology consultancy for the financial services industry – has developed an eight-point prioritisation framework for FRTB preparation and implementation. Natasha Leigh Giles, a Managing Principal at the consultancy, outlines the main dimensions of the framework: 

Prioritisation framework for FRTB

1. Front office operating model

For those who have already implemented the Volcker rule, the desks are well defined with monitoring and governance frameworks. However, for companies that have not been required to adhere to the U.S. regulation, there may be additional work involved in implementing desk-level controls as required under FRTB. The trading desk structure is especially important for banks planning to implement IMA, as this regime is applied at the desk level and requires that the full flow of the selected desk is able to pass the IMA requirements (including the modelability test for the risk factors). Key business decisions may be required if a desk trades complex products that are more aligned for SA treatment. 

2. Product scope

In order to reach the IMA status, products are required to be supported with additional data sets including historical market and reference data as well as risk factor pricing evidence. The opportunity for 2019 lies in refining the assessment on the feasibility of each product type to ensure a clear scope is agreed for the IMA environment. If the challenges are too complex or costly to overcome, such as access to historical market data, availability of price verification for the risk factors or significant enhancements to support computational capacities, then these products should be scoped out of the IMA program as soon as possible in order to save time and effort on continuing analysis. 

3. Client & trading activities

There is no need to wait until the FRTB implementation timeframe to undertake a holistic review of client and trading profitability – including the capital impacts. For example, running training and awareness campaigns within the front office can help the traders to understand the impacts of their activities and encourage changes in the way that they trade. By considering this holistically as a business and operational change, it can help keep the focus and resources on the primary (profitable) business in preparation for the compliance deadline. 

4. Internal controls

Methodology, reporting, auditability, and process governance for internal controls also need to be monitored in detail. We recommend having clearly defined processes accompanied by effective training across front-to-back office. For some banks, it will be beneficial to audit existing capital adequacy processes to ensure that findings are highlighted in advance of the implementation timeline and the appropriate focus is achieved within senior management.

5. Data & metrics

Financial institutions need to consider their overarching governance and ongoing management for the data (including ownership, quality control, golden source storage solutions, etc.) and the ongoing control framework for ensuring the data remains accurate and relevant for capital adequacy modeling. If there has not been a data lineage exercise already applied, this is a great opportunity to deliver business benefit, even in 2019. By creating agreed definitions, preferred sources, ownership and workflows for managing data quality, the benefits of more accurate data can already be applied to existing capital calculation models. 

Framework for FRTB

6. Model management & validation framework

In preparation for the FRTB regime, an opportunity for 2019 is to understand if there are gaps or control concerns to manage immediately. Model enhancements across SA and IMA will need to be productionized for output accuracy and refinement, however, these need to be maintained alongside existing Basel 2.5 BAU models and other concurrent changes e.g. LIBOR Transition. Business process optimization, testing environments and automation tools, documentation and model validation can all be reviewed for immediate benefits and prepare the process for a smooth implementation of the future FRTB models. 

7. Technology platform & testing environments

With regards to technology planning, the opportunity in 2019 is focusing on gaining agreement of the front-to-back FRTB future state architecture including the use of vendors as applicable. By ensuring a disciplined focus upon design and solution definition across all requirements, it provides a clear baseline for implementation planning and scheduling. Establishing a technology architecture which allows for FRTB data feeds, model enhancements, control definitions and accurate capital calculation outputs will provide the program with essential data and metrics needed for decision making. 

8. Leverging synergies

Once a baseline plan has been established, it is possible to identify synergies across other programs – such as the SA-CCR (Standardized Approach for Counterparty Credit Risk) or the IMM (Internal Models Methodology) – that could deliver overlapping benefits at reduced effort. Understanding requirements, defining the future state architecture, and implementing the change in a complex environment requires a mix of strategic principles and program management. Therefore, we consider it an opportunity for 2019 to take a centralized approach for data lineage and requirements gathering as this would be beneficial for optimizing capital costs across both the market and credit risk environment.


By considering each topic strategically in 2019, benefits such as data quality enhancements, strengthened internal controls and flexible test environments will not only bring immediate business value, but also set a solid foundation for a comprehensive FRTB implementation in the years to come. 

For more information on Capco’s model and the its approach in helping banks plan for FRTB, download the full whitepaper on the firm’s website.