/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsThe present situation is a grim reminder for the importance of focusing on
creating an ecosystem, which cannot be hijacked by avaricious individuals and
fraudsters. We need to develop systems and processes that will provide the much
needed checks and balances.
Management is nothing but a systemic way of mitigating and managing risks.
Risk is an integral part of any management and if one comes to think of it
seriously, this is what the board and the senior management are primarily
responsible for. There has always been a challenge to gain an integrated,
detailed and profound view of the dispersed data and issues in multiple
situations across various horizontals. Failing which, it leads to data
mismanagement, further risking governance and the compliance, and consequently
the disasters are expected. Thanks to the information technology era, for we now
have integrated software solutions to manage and eradicate these potential
menaces.
The recent scandals, the meltdown and the unprecedented panic have got all
the people thinking as to what went wrong, and are struggling to find ways to
ensure that such risks are never repeated. The whole catastrophe was the result
of lawlessness of covetous managers, who, for their short-term benefits,
compromised upon the financial viability of the system. And to make it even
worse, there were no systemic methodologies that enabled automated detection.
Even where there were indications like the ING bearing case etc, people
dismissed it as an aberration, ignoring that this could perhaps result in market
value defamation and other debacles. The issue therefore is not that we need to
find the solutions to manage risk, but to understand and forecast it well in
advance.
/dq/media/post_attachments/f812614c012d0094f3aa4f9811f83320327d87a6125d5e8e4500638277a766fe.jpg)
What is risk and how can we manage it better? As said earlier, the
twenty-first century is characterized by decentralized decision making,
challenged by uncertainties all around. To manage such situations, as we
transition from a certainty of situations to the uncertainty, and further,
conventional solutions will not be effective. We will need to find depth-cutting
and straight forward solutions which could be successfully implied to diverse
contexts. We will need to shift from giving solutions to empower individuals.
Managers when faced with an issue, resort to their memory, by recalling,
thinking, through judgement, foresight, and hindsight to make decisions.
Organizations build checklists and ensure some methods of escalation to resolve
unresolved issues. However, the implementation of the same is difficult because
the definitions used in each of the departments are different, the systems used
are different, and there will always be functional and contextual differences.
A Ten Step Approach
Governance, risk management and compliance (GRC) design and implementation
can be aided by a ten step approach. The steps provide a platform for learning,
educating, and establishing GRC functions, and they are designed to lead
organizations through a practically oriented process where each action builds on
the next. The ten steps include: co-ordinate GRC functions, discuss with
management and the board, identify initial opportunities, develop an initial
project plan, draft a risk policy, execute an initial project plan, revise
vision and project plan, finalize board risk policy, approve risk policy and GRC
structure and execute the final project plan.
Once the final plan is complete and the risk policy and structure are
approved, the organization should be positioned to execute the plan and achieve
the established vision. Many of the risks cannot be quantified and so in a
judgment situation GRC systems take pride to have come-up with a solid norm. It
has survey tools to grant absolute liberty to the respective individual, to vote
or poll to whomsoever he/she chooses to take charge of a situation, further
aggregating the results, to come up with the best practice norm, against which
the risk is evaluated. Which could be further balloted. This enables the manager
to gain a quick insight into the different risks, his/her decisions and is going
to make knowledgeable decisions. Organizations can typically schedule reminders
to the manager to do the tasks and provide ways of escalation, as and when
needed. Also, in the event of an incident, these systems automatically
trigger-off a series of investigations to surface issues. All these are
integrated into fine reports. These reports to the top management indicate the
scoreboard of the areas of concerns on risk and governance, to help them decide
their next steps. These high level reports can be drilled down to the root cause
analysis details.
GRC in Financial Institutions
GRC refers to people, processes and technology that banks invest in to comply
with regulations and manage risks as part of effective corporate governance.
With respect to compliance and risk, IT consumes the majority of bank employees
time and effort. Managing information, applications, systems and networks is
complex that requires sophisticated and integrated technology and processes. IT
GRC addresses technologys specific challenges, providing methodologies and
techniques that IT can effectively use to cut time and costs, while improving
the quality of risk and compliance information.
Banks and other financial institutions are no strangers to regulations; and
currently face three challenges that are driving them to understand and invest
in IT GRC to create and automate processes and manage compliance and security
risk in a systematic, quantitative and comprehensive fashion. As banks scout for
cost-effective ideas, outsourcing has provided a useful tool. But that tool
comes with a cost. However, third party relationships increase the complexity of
managing compliance and security risks across outsourced operations.
IT GRC provides a means to eliminate redundancies, improve the consistency
and quality of risk data; it saves time and reduces the demand on the managers.
It also provides the means to consolidate and integrate the plethora of
technical data and to systematically gather, quantify and prioritize security
risk data across assets, operations and regulations; thereby improving risk
mitigation.
As the number of regulations and mandates continues to grow with the
imposition of each new regulation, the common approach has been simply to add a
new compliance team with a new mission and scope which creates significant
inefficiencies and hampers the management from understanding their risk
position. The various teams interpret the same risk data differently, resulting
in redundancies across regulations or sharing a common interpretation of risk
information, either across compliance and risk teams or the management at large.
While this could be a great tool, its deployment is slow and sometimes
deliberately delayed to eventually drop, because there are people, who are
always afraid of being under the scanner. Any investigation can potentially
pinpoint to the person responsible. Therefore, there is a great reluctance in
being on the line. Much has to do with the objective for use of the tool, which
has to be rightly defined by all the organizations desiring lawful, risk-free
and compliant workplace.
Its never the wrong time to do the right thing. There has always been and
will always be elements in the society, who believe to easily get away with
their acts of corporate fraudulence. Now, is the time for each of us to rise
and transform into a wise/wiser corporate citizen, who could contribute to help
and guard their own workplaces with the idea of implementing this potent and
cream of the crop technology called the GRC. Media today is choked with
countless stories on fraud from all sectors, which is broadcasted/distributed
round the globe. This just creates hype in and around the corporate world, which
usually results into rigorous public group discussions and speeches on the
corporate governance and compliance. However, its extremely delightful to see
quite a few organizations who worked on an immediate action plan to implement
risk management solutions, eradicating in advancethe risk of corporate
unforeseen fraudulences. Its an overwhelming sensation to visualize the true
upheaval of governance, risk management and the compliance. It not only oversees
the global industry monetary transactions but also extrapolates on the figures,
which were never taken into account before GRC started deserving its identity.
Nevertheless, the concentrated awareness on GRC is still remains question for
the uninitiated, which has to be critically looked upon.
K Vijay Rao, Vice-chairman SoftPro
maildqindia@cybermedia.co.in