As I mentioned in the previous blog "When best of breed financial crime and compliance “point solutions” aren’t enough", many companies are increasingly looking to consolidate their various operational risk, compliance, audit and business continuity solutions. This is to help break the GRC silos and create a “single source of the truth” for better risk based decision making.
While this is arguably easier using a single GRC data source and a single provider of all GRC linked solutions, today’s reality paints a very different picture. Over time many companies have brought in a variety of GRC point solutions that addressed specific regulatory or organizational pressures at that time but without a longer term strategic or consolidation view.
It is not unusual to see KYC/AML transaction monitoring, case management and suspicious transaction/regulatory reporting (and sometime fraud) requirements met by one or two suppliers, PEP screening another and loss data capture and risk/control assessments, Operational Risk capital calculations, business continuity management and audit requirements managed by excel or further/different suppliers.
As well as being generally inefficient and creating many operational risks in its own right, the end result of this approach is a patchwork GRC framework with data silos dotted all over the company, each being managed by different people, with different views on the importance of data quality and timeliness. This is a difficult situation for senior and executive management who are under increasing pressure to improve their visibility on the company’s risk landscape and bring in more risk based decision making.
However, while the GRC “single source of truth” may be ideal, a complete consolidation programme to get there is not always financially viable, or even desirable, at a boardroom level according to a report issued by KPMG in 2012.
According to the KPMG survey, (The Convergence Revolution),“GRC” is already seen to be consuming a large proportion of company budgets and this perception may be deterring companies from investing in improving its coordination and consolidation.
In the report, KPMG further reveals that almost two-thirds of respondents considered GRC "convergence" to be a cost rather than an investment, further damaging the chances of obtaining further budget. However, as the below chart shows this is just one of many barriers to achieving greater consolidation.
Question: Which of the following do you consider to be the most significant barriers to greater convergence of governance, risk and compliance at your organization?
So, what to do?
It is under this environment of perceived complexity, high cost and unclear benefits that companies are increasingly looking to risk and compliance reporting solutions to help solve their GRC consolidation issues.
By implementing a GRC analytics reporting layer, one that imposes a standard GRC taxonomy, takes in data from the various GRC data sources and consolidates it into a series of enterprise level and actionable management dashboards and reports, companies can achieve many of the associated benefits that go with consolidation.
With the right type of business focused analytic reports and dashboards (heat maps, trending, point in time and time series) along with sufficient historic data, at a minimum, this approach allows companies to make some sense of the vast stores of GRC data that they have within their enterprise and start to make more informed risk based decisions.
This improves further if the solution can be configured to provide ad-hoc and on-demand reporting and matches the specific requirements of the various GRC roles, such as operational risk personnel, audit teams, compliance teams, lines of business management and executive management.
All in all this represents a simple, cost effective and lower risk option to help move the company towards the widely desired GRC consolidation. What do you think? We’d love to hear your views on this topic.
Matthew Long is a Financial Crime and Compliance Specialist for Oracle Financial Services Analytical Applications at Oracle. He can be reached at matthew.long AT oracle.com