Financial services is a highly regulated industry, and no one knows that better than the risk and compliance professionals who have spent years mastering the complexities of risk management. But when it comes to building a governance, risk, and compliance (GRC) program with all the relevant and appropriate content of risks and controls, mastery of that content is useless if the content isn’t in the language and context of the people who use it.
As organizations grow, the risk and compliance team and the business team often grow apart, and that separation can even become adversarial. I’ve worked with clients who view the compliance function as a pure policing role. This dynamic sets up the wrong kind of relationship for optimum business growth. In reality, both the first and second lines have become impeded by content that either isn’t relevant or isn’t organized in a way that makes sense to the business team. The first line doesn’t understand the view of risks and controls that the second line is looking at, and the second line doesn’t understand business products and offerings.