When designing a GRC program for your bank, success depends on enabling content with context

Gregg Anderson
1/25/2021
When designing a GRC program for your bank, success depends on enabling content with context

Financial services is a highly regulated industry, and no one knows that better than the risk and compliance professionals who have spent years mastering the complexities of risk management. But when it comes to building a governance, risk, and compliance (GRC) program with all the relevant and appropriate content of risks and controls, mastery of that content is useless if the content isn’t in the language and context of the people who use it.

As organizations grow, the risk and compliance team and the business team often grow apart, and that separation can even become adversarial. I’ve worked with clients who view the compliance function as a pure policing role. This dynamic sets up the wrong kind of relationship for optimum business growth. In reality, both the first and second lines have become impeded by content that either isn’t relevant or isn’t organized in a way that makes sense to the business team. The first line doesn’t understand the view of risks and controls that the second line is looking at, and the second line doesn’t understand business products and offerings. 

Turn red tape into a green light for the business by creating a common language for risks and controls.

Turn red tape into a green light for the business by creating a common language for risks and controls.

So, we now understand our challenge: how do we build a GRC program that not only includes the relevant risks and controls but also helps communicate them in a way that makes sense to the first line? For the most part, we’ve responded to this challenge by acting as though the bulk of the responsibility lies with the first line, who are expected to respond and adapt based on evaluations and recommendations made by the second line.

To the first line, the second line is detached, only interacting with business folks by periodically swooping in with a perfunctory check to see whether the business is operating in compliance or not. 

Although it may seem to business folks that the second line is obsessed only with ticking off items on a compliance checklist, the reality isn’t that simple. There’s no easy way to apply the complex interconnected webs of risks and regulations to the fast-changing world of business. What seems like a simple matter of presenting the first line with a yes-no compliance checklist doesn’t actually address the heart of the challenge, which is to help a risk professional 1) identify product-specific risks, 2) communicate those risks in an understandable way to the business line, and 3) make sure appropriate controls are in place to mitigate those risks.

Until now, financial services companies haven’t been able to address this challenge fully. Some companies have tried to use overly complicated GRC platforms that weren’t created for the financial services industry, which usually makes the problem worse. Others have implemented sets of one-off “point” solutions that each do a single task, which again leads to added complication and silos. And many companies use homegrown options, with different departments maintaining their own spreadsheets and documents to track risks and controls. Internal audit teams may also be working from a different set of information altogether.

When you consider the range of piecemeal situations across the spectrum of financial services companies, the scope of the problem becomes clear. Risk and compliance is segmented within the business: Different groups are working from different vocabularies, trying to harmonize different taxonomies and language. 

To move beyond this dynamic, then, we need a common language: a mutual way of understanding the relationship between business functions and risk and compliance. 

The first step: establish risk and compliance content that serves as a source of mutual truth.

The first step: establish risk and compliance content that serves as a source of mutual truth.

Any step toward improving communication between the first and second lines must have buy-in from the business team. Generally, the business is focused on growing the business and producing revenue, and so they respond best to information framed in those terms. They need to understand what relevant risks apply to their day-to-day activities and how the proper controls will help them move faster to support new product launches and other business initiatives. 

Risk and compliance professionals are charged with identifying relevant risks and determining whether the organization has them well controlled. In many cases, addressing these issues is challenging, because the business team doesn’t really understand what the risk is, or the control may reside in a different department than where the risk presents itself. 

If we look at a real-world example — such as the home mortgage line of business — we see how inefficient the typical GRC process is. Organizations often have one department that sells mortgages and another that services them . (In some cases, they may outsource the servicing of the mortgage to a third party.) Both departments need to make sure that the bank complies with flood insurance requirements. Meanwhile, compliance professionals need to work with the business to determine where flood insurance risks reside within the organization and create relevant controls to be embedded into business processes. 

Part of the challenge here is in fixing the perpetual blame game. The profit-driven first line wants to grow revenue and take on risk, but when a problem pops up, the finger typically points at the second line, whose job is to understand risks and communicate them to the business line.

Use context to communicate effectively with the business team.

When discussing risks and controls between the first and second lines, here are three things to keep in mind:

  1. When discussing a risk, describe it in the context of the business:
    “Within our consumer lending business, the risk is that we fail to comply with the insurance coverage requirements of the Flood Disaster Protection Act…”
  2. Refer to products and processes:
    “... when making, extending, or renewing a mortgage loan…”
  3. Describe the consequence:
    “... to avoid fines, regulatory action and reputation impact due to noncompliance.”

Similarly, when discussing controls, consider the following:

  1. Be explicit about who has responsibility for the control:
    “The Consumer Lending Area supervisor will review the Flood Insurance Declaration or Flood Insurance Policy Application provided by the loan applicant...”

  2. Include the frequency of the control:
    “... on a daily basis…”

  3. Describe how the control execution is documented:
    “... through the completion of the bank’s mortgage loan origination checklist including the Flood Coverage Adequacy worksheet.”

This language can be utilized even if the control is one that is performed by a third party.  This allows everyone to see the complete risk and control framework. By using this common language, you can build your GRC program on a foundation that allows everyone in the organization to understand:

  • The risks (and potential impacts) that are inherent in the bank’s business lines, its products, and supporting business processes
  • How the bank (and through documented responsibilities) manages these risks within its regular business operations
  • How the bank’s GRC program needs to adapt as its business model continues to evolve

An effective GRC program is designed in a way so that risks and controls can be viewed from a risk perspective or from a process perspective. This type of design allows risk and compliance professionals to put this information in the proper context through the mapping of risks to products, processes, and business lines.

Learn more about Crowe IRM-as-a-Service or schedule a demo

Crowe IRM-as-a-Service builds and organizes accessible content so you can move forward together.

Based on our extensive work over the years helping organizations achieve integrated risk management (IRM), we’ve developed Crowe IRM-as-a-Service. Among many other benefits, this solution helps small and midsize financial services firms streamline the communication between the first and second lines by enabling views of risks and controls that are organized by product lines and business functions.

In other words, Crowe IRM-as-a-Service does the work of translating risk and compliance content into language your business team can understand. And once your first and second lines can tap into content that lets them speak the same language, your business can move with both speed and confidence.

Let's talk

We're happy to connect one-on-one to learn about your specific needs and talk about how to mature risk and compliance.
Gregg Anderson - Large
Gregg Anderson
Managing Director, Consulting