The new GRC platform implementation roadmap for growing banks

Gayle Woodbury
2/3/2021
New GRC Platform Implementation Roadmap

Technology is supposed to facilitate communication and make work easier, but for risk and compliance professionals at small and midsized financial services firms, governance, risk, and compliance (GRC) technology can sometimes hinder more than help.

It’s easy to see why smaller firms hope GRC technology can solve all their problems. Juggling spreadsheets or hemmed in by point solutions, risk specialists at these firms have to pull from a mismatched collection of different sources and manually reconcile data to provide reporting. Then, because the information is organized in terms that can be hard for the business line to comprehend, the risk team must either attempt to translate or watch the essential message go unheeded.

This inefficient method of operating a GRC program might still suffice when a bank is under $1 billion in asset size, but what happens when business growth outpaces the capacity of your risk management team? For many firms, this inflection point means that it’s time to explore their approach to GRC technology and consider a comprehensive GRC platform. However, many times this process comes with a lot of potential pitfalls.

There’s a lot to consider when comparing GRC technology approaches.

There’s a lot to consider when comparing GRC technology approaches.

One option is to buy a “point solution” — a single tool that addresses your most pressing challenge. This tool will most likely improve your capacity in that one area, but as other needs pop up, it becomes increasingly inefficient to implement additional point solutions.

Not only does each solution come with its own implementation and ongoing support processes, but they don’t communicate with or complement each other in any meaningful way. Eventually, you will likely end up constantly logging in and out of different tools to export and rationalize data in a way that’s not easy to aggregate. The manual effort to manipulate and reconcile this data can end up costing you even more time and effort than you spent when you were working out of spreadsheets.

Another option is to adopt a comprehensive GRC platform that can integrate previously siloed risk information and serve as a central hub for all your risk and compliance activity. As your business grows and you add products and processes, a GRC platform can make cross-functional workflows and reporting far more efficient, protect your content from accidental or unauthorized changes, and help you communicate accurate (and understandable) risk information to your senior management, line management, executives, and board.

The typical GRC roadmap doesn’t translate to success for many small and mid-sized banks.

The typical GRC roadmap doesn’t translate to success for many small and mid-sized banks.

The first step in choosing a GRC platform is to research your options. For many risk leaders at smaller firms, even this first step can quickly become overwhelming. Many enterprise-level GRC platforms are extremely complex and not specifically designed for financial services firms. As you evaluate these platforms, you’ll probably find that they offer capabilities you don’t need but lack functions you would expect from a banking GRC platform.

Additionally, much of the expert advice on how to choose and maintain a GRC platform is aimed at large financial institutions with $10 billion, $25 billion, or even $50 billion in assets. For smaller banks, the conventional advice is often unrealistic: Many GRC platform implementation guides will tell you to perform a proof of concept before you fully deploy the GRC tool or instruct you to build out a large implementation team. In a perfect world, smaller firms would have the capacity to do both of those. Often, these guides will instruct you to think through and document all the operational impacts of the GRC product before you commit to an implementation, which is sometimes hard to do.

Even getting a demo for one of these platforms often turns out to be a disheartening and overwhelming process for risk leaders at smaller banks. The experts who give these fast-paced presentations know their platforms extremely well but rarely have in-depth knowledge of the banking industry, so they most likely won’t be able to speak directly to your needs or focus on the features and capabilities you require. 

The process of purchasing a platform is also shrouded in mystery. Many banks don’t really understand the technology they’re buying or what’s required to get it up and running. In particular, risk leaders are often shocked to find that the software company won’t actually help get the GRC platform up and running, which means the firm needs a separate implementation partner. And in many cases, the software company won’t even make a recommendation to help you find such a provider.

This can be one of the most painful points for many smaller firms, as many banks under $10 billion don’t have risk and compliance programs and processes that are developed enough to direct the highly open-ended process of implementing a large GRC platform. You have to be ready to be in the driver’s seat, and have answers to fundamental questions like:

  • What are all your lines and departments?
  • How do they view the business?
  • How do you need to report risk?
  • Does every part of the business view risk and compliance the same way?
  • Do regulators look at it the same way?
  • What about risk taxonomies? How do you categorize risk?
  • How do you measure and calculate your risk and control ratings?

If you don’t have immediate and solid answers to these questions, the typical GRC platform implementation process will likely be a stressful and confusing one. However, that doesn’t mean you can’t realize the benefits of a GRC platform and achieve true integrated risk management (IRM).

The new roadmap: A straight line from purchasing to adoption.

The new roadmap: a straight line from purchasing to adoption.

Crowe drew on our deep subject matter expertise and knowledge of GRC technology to create Crowe IRM-as-a-Service. This platform provides all the benefits and capabilities of a GRC platform, designed for the banking industry and ready for use within days of purchasing, not months or years.

Instead of asking you to think through organizational hierarchies, risk taxonomies, and risk and control rating methodologies, Crowe IRM-as-a-Service and the built-in Crowe Risk Curator will ask you to fill out simple templates that come with detailed instructions. Based on the inputs, the platform will populate with organizational information, rationalized taxonomies, and a library of risks and controls based on our extensive experience working with firms in the financial services industry. You’ll also be asked to answer some basic setup questions to help tailor the solution for your organization. Once the process is complete, the platform is ready to use. From that point, you’ll have a wide range of options for further customization as your organization evolves and your GRC program becomes more sophisticated.

Not only do you not need to navigate a complex implementation roadmap with Crowe IRM-as-a-Service, but you don’t even need a map at all. The platform is designed around the use cases banks like yours need, and Crowe serves as your implementation guide. As a fully hosted and managed platform that’s ready to adopt, Crowe IRM-as-a-Service helps you achieve risk management maturity with an intuitive platform that grows with you.

And if you find yourself thinking you’ll need additional assistance to help execute your expanded abilities to support risk and compliance activities, we can help with that as well. The Crowe IRM-as-a-Service solution includes a simple way to engage Crowe specialists when you need them. Wherever you are on your GRC journey, we’re here to help.  

Let's talk

We're happy to connect one-on-one to learn about your specific needs and talk about how to mature risk and compliance.
Gayle Woodbury
Gayle Woodbury
Principal, Integrated Risk Management Leader