Risk and compliance professionals are tired of being glorified admins – here’s how to set them free 

Gayle Woodbury, Jay Fogelson
11/30/2020
Make progress

Too many risk and compliance teams get forced to spend their time running around doing administrative work because of inefficiencies in the risk management program. The team is stuck using clunky spreadsheets, chasing down information from the business, manually creating reports – the list goes on.

The best indicator of a more mature, integrated approach to risk management is that risk and compliance professionals spend less time managing the process and instead spend their time doing what they’re supposed to do: advising the business and managing risks.

So, how do we get there?

Learn more about Crowe IRM-as-a-Service or schedule a demo

Everyone wants to do more with less, but it’s easier said than done.

Right now, banks and credit unions are looking at the amount of uncertainty they’re facing and worrying about future budgets. Everyone wants to accomplish more with the resources they have, and risk and compliance professionals are no exception. However, they’re held back by inefficiencies and other obstacles, such as:

  • Lots of risk silos, often with duplicate or conflicting data, each with their own view of risks – no rolled-up view
  • Difficulty demonstrating compliance and adequate controls – or not even knowing what controls you have
  • Lack of an auditable paper trail to show risk management activities and progress
  • The burden of gathering information for assessments and preparing for exams and audits
  • The inability to present the bank’s risk and compliance posture in a timely manner – by the time leadership gets the report, the data is stale, and the picture presented may no longer be accurate or relevant

Obstacles get amplified when you encounter one of the following scenarios.

There are a few common trigger points that drive the need for risk and compliance to mature. Ideally, these trigger points happen because of new products or other opportunities. However, they can also arrive because of a crisis, like a data breach. Trigger points occur when risk and compliance functions face heightened demands and need to play a more strategic role that involves supporting:

  • Fast growth
  • Frequent mergers and acquisitions
  • Launching new products, new markets, new delivery channels, new partnerships, and other strategic initiatives
  • Heightened regulatory expectations, especially as you grow

Throwing more people and technology at your problems won’t solve them.

One of the biggest mistakes I see banks and credit unions making is to try and overcome the common obstacles by hiring more people or buying additional technology without asking why. Simply adding more people or tools won’t fix an underlying problem. You end up moving the burden from one group to another or from one tool to another without really addressing what’s broken, which is often the process itself.

One of the biggest mistakes I see banks and credit unions making is to try and overcome the common obstacles by hiring more people or buying additional technology without asking why. Simply adding more people or tools won’t fix an underlying problem.

This statement is especially true if your bank or credit union has purchased one-size-fits-all technology that was never designed for our industry. As bankers, we know we’re special – we have regulatory guidance that tells us so! We need to do things differently than other industries. So, when you select a tool that doesn’t align with our industry’s regulatory guidance, you immediately put yourself at a disadvantage. You’ll either need to bend your process to fit the tool (which your regulators may not like) or spend additional money and time bending the tool to fit your process.

Technology is only as good as the content you put in it.

I like to think of a technology platform as a new house: It starts out empty, and without anything inside, it’s not ready for you to live in (unless you like sleeping on the floor). You won’t start to feel at home until you figure out how to furnish the house and make it livable.

You have decisions to make as you fill the house, too. If you take shortcuts – first buy a futon, then upgrade to a cheap couch, then finally upgrade to a nice leather sofa – you end up spending much more than if you had just bought furniture that’s built to last.

So, how do you avoid spending more than you need to? The best way is to prepare. Before you invest in new risk and compliance technology, ask yourself the following about the state of your content:

  • Do we have a consistent way to look at the business across our risk and compliance programs?
  • Do we know all the applicable laws, regulations, rules, and standards?
  • Do we have a library of relevant risks and expected controls, and have we documented our control activities?
  • Do we know how we want to categorize, assess, rate, and report on risk and compliance? 

Making progress toward integrated risk management involves breaking down silo walls.

I’ve worked with risk leaders at banks and credit unions of all sizes, advising them on how to mature their risk management programs. I help them figure out:

  • Where to invest
  • How to best leverage technology
  • How to redesign risk and compliance programs to be practical yet defensible against regulatory expectations

The key to overcoming the common obstacles we mentioned earlier is for risk and compliance to stop operating in independent silos that each have their own tools, workflows, documentation, data gathering, and reporting. This siloed landscape creates overlap and duplicated efforts. Uniting the silos will require investment, but that investment will result in efficiency and effectiveness gains that will provide the greatest chance at turning risk data into actionable insight for the business. 

The key to defending your “profit-shrinking” budget requests: Use them wisely.

I know from my previous life running a risk department at a large bank that defending budget requests is tough. Your requests get evaluated against requests from the revenue-producing lines of business, and next to theirs, yours look like profit-shrinking requests.

Not only that, but if you do your job well, it becomes easier for others to think risk and compliance spend isn’t worth it. Meanwhile, the health and viability of the business literally depends on you. If risk and compliance is lacking and there are significant issues, the bank or credit union could be forced to shrink or get shut down completely.

Spend smarter and invest in technology that can both meet your needs today and scale with you as you grow. If you can get the right platform with the right content in place now, you’ll see the benefits in a matter of months.

The key to getting traction with your budget requests is to make them count. Spend smarter and invest in technology that can both meet your needs today and scale with you as you grow. If you can get the right platform with the right content in place now, you’ll see the benefits in a matter of months. You can free up resources, break down silo walls, and automate administrative work so you can get back to your real job. That’s the formula for winning risk and compliance in today’s landscape. 

Let's talk

I’m happy to connect one-on-one to learn about your specific needs and talk about how to mature risk and compliance.
Gayle Woodbury
Gayle Woodbury
Principal, Financial Services Consulting
people
Jay Fogelson