As risk and compliance managers look toward the new decade, they are hoping for several changes in the GRC landscape. Based on conversations with industry experts and customers, we've compiled 10 of the most important issues for compliance professionals. Here we give you a look at the first 5, with the second five in part two.
1) Regulatory Clarity
At the top of any GRC manager’s wish list is regulatory clarity for the financial services sector in 2010. In the depths of the financial crisis, the Obama administration promised financial services regulatory reform. President Obama himself remarked during his inaugural address: “But this crisis has reminded us that without a watchful eye, the market can spin out of control.”
But what has happened since then? A credit card bill was passed, but meaningful overhaul is still buried in the legislative process, and there are still major differences between the House and Senate versions of the critical elements of reg reform, including the systemic risk regulator, consumer protection and mortgage reform.
The political climate in Washington has shifted over the last year, and financial services reg reform is not the top priority for the administration -- health care is (and now terrorism). In the end, as the political momentum behind reg reform fragments into competing alternatives, GRC managers are going to have to accept this uncertainty and the current regulatory structure, which may endure longer than expected.
Of course, this in and of itself offers some clarity, which explains why we’re continuing to see strong growth in the GRC platform market, as companies move forward with their plans for integrated risk management, despite the uncertainty.
2) Better Collaboration with the Business
Surveys have shown that only 40 percent of respondents find the importance of risk management to be widely understood throughout the company, suggesting that more needs to be done to embed risk culture and risk thinking more deeply in the institution.
Incorporating risk management into everyday business processes will enable executives to focus on those elements of their risk activity that have the greatest positive impact on the organization. Business managers can spend less time on assessments and more time on proactively managing risk and processes to meet company objectives.
Providing enhanced visibility into the risk landscape, integrated risk management empowers business managers to make smarter decisions that maximize value, reduce costs and balance risk with returns. When embedded into everyday processes at all levels of the organization, risk management will drive business performance.
3) Robust Organizational Risk Culture
It’s become clear that a risk-aware corporate culture is of critical importance to an organization. In the past year alone, we’ve seen plenty of examples in the news where a lack of risk-aware corporate culture has hurt companies, some beyond repair.
While it is critical to be thoughtful, disciplined and strategic in your approach, it’s also important to understand how technology can promote a risk-aware culture and become a tool to embed effective integrated compliance and risk management practices within an organization.
It can act as a training and awareness tool, a marketing tool and can help build accountability and push policies and processes into daily activities.
4) Risk Expertise needs to start at the top
Sponsored by the UK government and published this past fall, the Walker Review recommends overhauling the boards of banks and other big financial institutions by requiring the Chief Risk Officer to have a reporting line to the risk committee, in addition to strengthening the role of non-executives and giving them new responsibilities to monitor risk and remuneration.
Risk management will be under increasing scrutiny in the UK -- and across the globe-- and that risk expertise will be increasingly important in 2010.
5) Improved Risk Management Data Quality and Availability
The lack of data quality and availability is a huge barrier to strengthening risk management. Many of the risk managers we work with frequently cite a lack of clean, high-quality data as one of the biggest inhibitors to achieving their risk management and regulatory compliance objectives.
Poor data quality seems to be endemic in most firms. It can appear in many forms including completeness, accuracy, consistency, timeliness, redundancy and duplication. The causes can be numerous as well, including process errors, inadequate information systems, employee training and many others.
Poor data quality is such a systemic issue in many firms it should be viewed as an operational risk for the enterprise. Many of the firms we talk with are viewing risk data quality as an enterprise-wide activity and not the responsibility of a solitary risk department. These firms are identifying the processes that generate poor-quality data and correcting them at an early stage.
In addition they believe that data quality cannot be an IT-led exercise, even though IT serves as a key ally and stakeholder in implementing and maintaining data quality programs.
[Editor's Note: You can continue with part two of this article here.]