Multiple theories have been put forth that inadequate risk management around economic, fiscal, and monetary policies contributed to the economic crisis. Most agree that the risk management failures were partially due to lack of visibility into risks and management’s inability to effectively prevent, detect, and remediate risks. Inconsistent risk management practices are especially pervasive in large, complex, and interconnected financial service organizations. These factors have compelled the need for higher standards for risk management, internal controls, and internal audit.
In September 2014, the Office of the Comptroller of the Currency (OCC), within the US Department of the Treasury, issued 13 risk governance standards to formalize the heightened expectations for national and federal savings banks that have $50 billion or more in total consolidated assets. These standards provide guidance for banks to follow in establishing a rigorous risk management framework focusing on governance, people, and processes that includes Board of Directors’ oversight of the framework’s design and implementation. While the OCC standards apply specifically to banks, we believe technology service providers to the banking industry should be aware of and consider adopting these standards.
The OCC’s definition of the risk governance standards reinforces the risk management principles deemed important for bank safety and soundness. These standards also increase the likelihood of scrutiny of a bank’s risk governance practices during examinations and criticism for lack of compliance. Under these provisions, the OCC may initiate enforcement processes when it determines a bank has failed to meet the standards.
To establish a robust risk governance framework in line with the OCC risk governance standards, it is expected that your company manages its regulatory requirements through a well-developed governance, risk, and compliance (GRC) program. A leading practice is to enable the program with technology. Comprehensive GRC technology enablement can help unify and align otherwise fragmented risk management activities and enable resources to proactively focus on the most significant risks. Before embarking on a GRC journey, your company should have in place a defined risk governance program, operating model, framework, and documented processes. A GRC program can also be designed to directly support the core requirements of the OCC risk governance standards. Most importantly, the program must be able to stand on its own even in the absence of GRC technology. Figure 1 shows an example of how the OCC risk governance standards may be aligned with a GRC program.
As an example of how GRC technology can enable a risk management program, let’s consider the OCC risk governance standards regarding the risk governance framework (standard #1). The required governance framework is typically supported by a series of policies and procedures that create the parameters for a company’s risk management activities. GRC technology that includes policy management functionality can be effectively used as a repository for such policies and procedures. GRC policy management technology can also serve as a medium to facilitate the workflow for review and approval of policy changes and enables tailored access and visibility by stakeholders. This is a basic example of how GRC technology can enable a risk management program.
Why Would Companies Implement GRC Technology Solutions?
GRC technology solutions can drive measurable improvements in overall risk management programs by providing a common risk management language, operationalized risk management activities, and enhanced integration within the business. The need for better risk management and alignment across the organization has driven companies to build an integrated GRC technology ecosystem that includes functionality to address the needs of IT risk and security, operational risk, internal audit and internal controls, vendor risk management, privacy, and compliance. Leading organizations have recognized this opportunity as a strategic imperative, enabling their GRC transformation with technology solutions, resulting in marked improvements in their process execution. Such companies have:
- Reduced silos of disparate compliance processes and information into a single, comprehensive enterprise repository
- Reduced inefficiencies of managing tasks manually and generating and distributing reports using different mediums, such as spreadsheets and documents
- Employed a consistent and flexible approach for identifying, evaluating, and responding to risks
- Gained clear visibility into the status of their assessment efforts and their overall risk profile
- Communicated effectively to management by being able to map risk and compliance issues to the business
- Reduced time required to create and update policies, manage exceptions, and demonstrate compliance with multiple regulations
- Gained efficiencies when performing assessments through an “ask once, answer many” approach and through more timely and deeper monitoring of their risks and risk response effectiveness
As an example, SAP’s GRC solution portfolio is well aligned with the “Risk technology” governance standards listed in Figure 1. The GRC solutions can help transform fragmented risk management processes into a central, comprehensive process, which covers elements of financial, operational, compliance, and fraud risks. For instance, we have seen financial organizations use SAP Risk Management, SAP Process Control (which includes Policy Management), SAP Access Control, SAP Fraud Management, and SAP Audit Management.
At EY, our brand is built on the theme of “Building a better working world.” We believe that good risk management enables organizations to operate effectively and protects the interests of stakeholders and consumers, thereby enabling a better working world. The recently issued OCC “heightened expectations” guidelines will place responsibilities on banks and banks’ technology service providers to enhance their risk management programs. EY can help by assisting organizations in developing a sustainable and effective risk management program with operating models and governance, processes, and GRC technology. If your company decides to implement SAP solutions for GRC, EY can assist by creating a robust risk management program coupled with GRC technology to achieve sound and effective risk management practices.
For details on OCC standards, visit www.occ.gov. For more information on how your bank’s risk governance efforts can be developed and supported with SAP solutions for GRC, contact email@example.com or firstname.lastname@example.org.
The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP.