SAI360 discusses the intersection of integrated risk management and regulatory change management software with Risk and Compliance Magazine.
R&C: How would you characterize the current readiness of companies to cope with the range of regulatory risks they face? In what way has this risk profile changed in recent years?
Johns: In the years since the financial crisis, the financial services sector has faced a torrent of regulatory requirements. After the crisis, regulators were focused on credit and market risks. But now they have shifted their focus towards non-financial risks — cyber and data stewardship and security, in particular.
New regulations laid down by supervisory authorities are raising the stakes for data management. And call it a sign of the times; ethical questions around data privacy have gained significant traction thanks to the EU’s General Data Protection Regulation (GDPR), which has armed consumers with a greater understanding of the value of their personal data and protections that have been made available to them.
Our recent Global Reputation Trust Index (RTI) report dug deeper into consumer behaviours and cybersecurity: financial services data breaches ranked as the highest company crisis concern for those we surveyed.
With the risk landscape continuing to be dynamic as other disruptive factors like imperiling regulatory change and an upsurge of informed consumers becoming the norm, this adds pressure on traditional risk management capabilities.
To keep pace with the regulatory change, most firms have responded piecemeal to new requirements, often implementing a number of point systems to address specific regulations and quite often relying on one-time fixes. Moreover, these activities often take place in silos, and with software partners overpromising results, making it difficult to gain a comprehensive view of risk across the whole organization.
The challenge and opportunity are how to balance the rapid complexity of existing and emerging risks with cloud-based, data-led technological advancements.
R&C: To what extent are integrated risk management (IRM) solutions keeping pace with a changing regulatory landscape?
Johns: Risk management functions are traditionally siloed, divided into compliance, finance, audit, and other risk management functions like fraud, vendor management, IT, business continuity and operational risk. This has merit but lacks foresight.
Integrated risk management (IRM) is more than a three-letter acronym. It is about a joined-up approach to risk management, one that facilitates a strategic and comprehensive approach to risk-taking. One of its key principles is connected collaboration; risk is connected and a connected approach to risk allows an organization to add competitive advantage by rapidly deploying mitigation processes and streamlining monitoring of key risks across the business, so that appropriate action can be taken where needed.
After all, operationalizing compliance activities is not a one-and-done exercise. Regulations such as anti-money laundering (AML), Know Your Customer (KYC), the Markets in Financial Instruments Directive II (MiFID II), Basel III and IV, the Second Payment Services Directive (PSD2) and GDPR require people, technology, data and process involvement to be sustainable.
By implementing an IRM framework, an organization has the ability to build a rock-solid wall of protection that reduces risks, minimizes the overhead costs of governance and compliance, and provides maximum business insight across all operations.
In addition, by streamlining compliance functions across silos, businesses can scale down from multiple, disparate teams supporting multiple solution vendors to fewer, more central functions. This enables businesses to reconcile data and results across teams and regions and can lead to a reduction in costs associated with running multiple functions.
Paul Johns was the CMO at SAI Global, now SAI360.
Published in R&C’s July-Sept. 2019 issue.
Learn how we help Financial Services organizations address risk management.