How technology can help mature your integrated risk management

Gayle Woodbury, Jay Fogelson
How technology can help mature your integrated risk management

Adobe’s 2019 email usage study1 revealed what many risk professionals know too well: We spend too much time in our inboxes. The average American worker spends more than three hours a day sending and answering emails, but that fact doesn’t truly convey the frenetic back-and-forth between inboxes and spreadsheets that is the daily life for many risk professionals.

If you’re like most risk and compliance professionals who work at small and midsize banks, half your day is spent doing administrative tasks instead of real risk management work. Sometimes, it probably feels like GRC stands for grinding repetitive chores, not governance, risk, and compliance.

However, a system that could automate that administrative juggling act could put you and your team on the path to true integrated risk management (IRM) maturity.

Integrated risk management is within your grasp

Integrated risk management is within your grasp.

Mature, efficient IRM is what all risk and compliance professionals are trying to achieve. But for small and midsized banks still struggling to define and execute their GRC processes, achieving integrated risk management might seem impossible.

You might know about the wide range of technology solutions out there that promise to make your life easier, but you’ve also probably heard cautionary tales of technology implementations gone wrong. It’s tough for growing firms to even begin to envision a future with true integrated risk management in place because most GRC solutions aren’t designed with financial services in mind. But finding the right technology to achieve true IRM is easier than you think.

IRM isn’t just for large banks

IRM isn’t just for large banks.

GRC technology isn’t only for big banks that have the capital to implement and maintain a large system and the financial cushion to absorb the hit if that system doesn’t create value. Many banks mistakenly think that a platform is overkill, so they look at point solutions instead. They assume they can put off worrying about an integrated approach until the bank gets bigger.

But growing banks that rely on point solutions increasingly will find themselves caught in a web. What happens the next time you need support in a particular area? Do you adopt another point solution?

Most likely, that solution won’t integrate in any meaningful way with the one you purchased earlier. Over time, point solutions pile up, and disparate tools strand each area of risk management in its own silo. This path increases the likelihood of duplicate efforts and creates an increasing burden of hands-on work to aggregate and reconcile all the data, not to mention the additional burden of supporting multiple technologies.

To get and stay on the path to integrated risk management, you should be looking for a platform that can help perform your risk and compliance processes more efficiently, expand the scope of your coverage, and integrate processes to eliminate redundant work and improve reporting.

True IRM can help growing banks minimize growing pains

True IRM can help growing banks minimize growing pains.

It might seem like true integrated risk management is something you can think about in the future, after you’ve addressed your most pressing challenges. However, it’s important to start laying the groundwork for IRM now.

It becomes more difficult to transform governance, risk, and compliance to integrated risk management once you create a risk and compliance culture that’s built around inefficiency. Later, when the need to integrate your processes and move into a true platform becomes urgent – perhaps tied to increased regulatory scrutiny or expectations, a consent order, or an audit finding – you’ll have to expend more effort to get your risk and compliance team to buy into the changes.

You set yourself up for a much smoother and more logical journey if you adopt an IRM mindset as soon as you begin evaluating GRC tools and technology. It might seem counterintuitive to think about buying a platform when you only need a solution for a point problem, but as your firm grows, so, too, will your need for integrated technology.

The right GRC technology can help foster a better work culture

The right GRC technology can help foster a better work culture.

When evaluating which GRC technology can help you on the path to risk management maturity, it’s worth considering the user experience it could provide for your team. It’s costly – both in terms of money and goodwill – to train people to use different systems. And it can be a headache to get everyone to remember the correct logins, orient themselves to new systems, or figure out how to get several systems to work with a single sign-on.

You also need to consider the experience you’re creating for your first line of defense. One of the biggest complaints that first-line professionals tend to voice about risk and compliance is that different members of the second line ask for the same data over and over. This week, Tony from cybersecurity wants information, and the first line complies; the next week, Tanya from third-party risk wants the exact same information. This repetitive ask can be incredibly frustrating to the folks on the business team.

Introducing an integrated platform enables the sharing of information, which can create a cultural shift. The second line becomes a unified team instead of a loose collective of isolated groups, and the two lines can start to work together in tandem to grow the business.

A right-sized GRC platform enables truly integrated risk management for smaller banks

For small and midsize financial services firms, the primary obstacle to adopting a platform is that most GRC platforms weren’t constructed with their needs in mind. Enterprise-scale GRC platforms are extremely open-ended, industry-agnostic, and require a detailed understanding of:

  • How risk and compliance programs function within your industry
  • What your business hierarchy looks like
  • How you categorize risks, controls, processes, and products through taxonomies
  • How you harmonize your risk assessment and control rating methodology

In general, our team at Crowe sees that many small and midsize financial services firms don’t have the necessary taxonomies and methodologies in place and clearly defined. However, not having this level of development doesn’t mean you can’t start on the path to integrated risk management. It just means the path that large firms usually take to make highly customizable platforms right for them likely isn’t the right path for you.

Crowe understands that small and midsized financial services firms have no meaningful option for early adoption of an integrated risk management technology, so we created Crowe IRM-as-a-Service. This ready-to-use platform delivers all the benefits of true integrated risk management, with an approach tailored specifically to small and midsize firms. The platform comes preloaded with the content and use cases you need, so it’s ready to use within days of purchasing instead of months or years. With Crowe IRM-as-a-Service, you can finally spend less time in your inbox and more time doing the risk management work you’re passionate about.

1 "2019 Adobe Email Usage Study," Adobe, Sept. 12, 2019,

To learn more or to schedule a consultation and demo, visit the webpage for Crowe IRM-as-a-Service. 

Contact us

Gayle Woodbury
Gayle Woodbury
Principal, Financial Services Consulting
Jay Fogelson
Jay Fogelson