So, we now understand our challenge: how do we build a GRC program that not only includes the relevant risks and controls but also helps communicate them in a way that makes sense to the first line? For the most part, we’ve responded to this challenge by acting as though the bulk of the responsibility lies with the first line, who are expected to respond and adapt based on evaluations and recommendations made by the second line.
To the first line, the second line is detached, only interacting with business folks by periodically swooping in with a perfunctory check to see whether the business is operating in compliance or not.
Although it may seem to business folks that the second line is obsessed only with ticking off items on a compliance checklist, the reality isn’t that simple. There’s no easy way to apply the complex interconnected webs of risks and regulations to the fast-changing world of business. What seems like a simple matter of presenting the first line with a yes-no compliance checklist doesn’t actually address the heart of the challenge, which is to help a risk professional 1) identify product-specific risks, 2) communicate those risks in an understandable way to the business line, and 3) make sure appropriate controls are in place to mitigate those risks.
Until now, financial services companies haven’t been able to address this challenge fully. Some companies have tried to use overly complicated GRC platforms that weren’t created for the financial services industry, which usually makes the problem worse. Others have implemented sets of one-off “point” solutions that each do a single task, which again leads to added complication and silos. And many companies use homegrown options, with different departments maintaining their own spreadsheets and documents to track risks and controls. Internal audit teams may also be working from a different set of information altogether.
When you consider the range of piecemeal situations across the spectrum of financial services companies, the scope of the problem becomes clear. Risk and compliance is segmented within the business: Different groups are working from different vocabularies, trying to harmonize different taxonomies and language.
To move beyond this dynamic, then, we need a common language: a mutual way of understanding the relationship between business functions and risk and compliance.