Independently, governance, risk and compliance (GRC) have always been of concern to businesses especially those in the financial services who face numerous regulations. GRC is an approach to management that looks at the 3 principles holistically throughout the entire organization. Under GRC all three components have to be implemented collectively, as opposed to having just one. Essentially, decisions made by management when it comes to governance have to also consider the risk appetite of the firm, and its compliance requirements. In the article Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) (Racz, Weippl and Seufert) define GRC as “an integrated, holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite in the context of its internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.”
GRC aims at eliminating the silo mentality that companies would have. Silo mentality is a way of operation whereby departments or functions within the same organization do not communicate freely and this affects effectiveness of the organization. For example, a situation whereby the product development team makes changes to the product that would affect its pricing and they fail to communicate this to the business development function who then mis-price the product.
The financial crisis showed the risks that come with working as silos. Banking departments were taking actions that only they clearly understood due to specialization and sophisticated technology. Bank leadership did not clearly understand what subprime mortgages were while other people within the organization took decisions without consulting.
Financial institutions have increased their adoption of GRC practices in order to build their reputation in the eyes of their stakeholders. From a regulatory point of view, there has been an increase in the regulations and this has been intended to make banks more transparent and open in how they operate to avoid liquidity risks that contributed to the financial crisis. In addition, stringent regulations are meant to counter money laundering and terrorism financing practices.
As customers demand for banking practices that are transparent and open on issues such as fees; financial institutions are adopting GRC in order to build structures internally that allow them to have open and transparent services. This helps to build their reputation as credible institutions and increase their credibility among their target customers. These institutions are aware that they are facing increased competition among themselves and from fintechs. The latter have positioned themselves as the alternative that provides transparent banking. Customers have numerous options, and concerns to do with transparency could mean the difference between a financial-institutions gaining or losing market share.
The financial sector has seen an influx of regulation as regulators try to avoid mistakes made in the past and at the same time adapt to new products and customer behavior. Some of these additional regulations touch on an aspect under financial services that has seen tremendous growth; data. Banking has evolved from the traditional channel of visiting a banking hall. Bank clients can receive and transfer payments in addition to opening an account without ever having to visit a bank branch or talk to a teller. Traditional banks have adopted technology and extended their offerings online. On the other hand there have been a mushrooming of fintechs such as neobanks that have leveraged technology to be attractive to bank customers. Going digital comes with technological risks such as malware, hence creating the need for aligned compliance requirements when handling customer data. In light of this, the Central Bank of Kenya in their five-year strategy has promised to develop risk management frameworks and standards that will guide how banks will manage their customer data according to the Data Protection Bill that came into law in 2019.
GRC has also become a key concern for majority of financial services sector players due to the introduction of new banking sector verticals such as open banking. Open banking is a new development whereby traditional banks share their customer information with third party providers like fintechs; in order for the fintechs to provide better financial products and services that are tailored to the spending and earning patterns of their customers. This is due to the increased demand by banking sector customers for more personalized services and variety of products to choose from. As a result, commercial banks have had to set up GRC functions within their organizations that address risks associated with allowing Application Programming Interface (API) from third parties integrating with their own internal banking systems. In addition, commercial banks take into consideration compliance requirements that guide how and with whom they are allowed to share this data with. These banks have to consider what level of consent from a regulatory stand point they should seek from their customers in order to share their data; and build the internal governance structures that guide them when sharing the data.
Looking forward, the need for GRC will increase at both the institutional and regulatory authority level. The financial services sector will see more and more innovation and development of products and services that will leverage technology. These will open up institutions to more risks that are technology related and regulators will require financial institutions to have risk mitigation measures to address. It is therefore crucial for strong GRC mechanisms to be built within the company at each functional level. Successful GRC implementation should begin at the board and executive level by the leadership adopting this practice within their growth strategy and creating implementation accountability at that strategic and tactical level.
Author: David Kageenu