BLOGS & OPINION | Contributed Content, India
Suresh Sankaran

Governance Risk and Compliance (GRC) – Appreciating the enigma around it


It was a financial services seminar with the agenda focused on recognising the triggers for the current financial environment. On the aside were two senior bankers who were not too comfortable that the previous session speaker tried to impress that banks were not having an adequate governance process inspite of the existence of an appropriate risk and compliance management system.

One of them observed, ”We are very close to stabilizing the advanced approach of Basel II and with respect to our credit risk portfolio, we are able to see a released capital of Euro xxxx by adopting more scientific models and measuring capital more from economic perspective rather than regulatory focus alone. But the domino impact of the collapse badly damaged the quality of our assets.”

The other reflected, “We too thought our controls and monitoring mechanisms were quite commensurate with the size and complexity of our business and we had invested substantially in technology and systems, but the global consultant to our single major investor felt that the governance process requires a revisit and its effectiveness needs to be measured”.

The above scenario leads us to ponder as to what is Governance, Risk and Compliance, its context and renewed relevance. While financial turmoils have been recurring in cycles to stimulate Professor Kondratiff to evolve a theory around it. If there is one common thread that was found ‘wanting’ across all these historical failures and contemporary debacles…it is those three simple English words “ Governance, Risk and Compliance” - often quoted as “GRC”.

It may not be an exaggeration to observe that these three –G, R, and C are the most relevant pillars of Business Management in the current economic environment. Was it merely a flash of conscience that made the directors of a globally renowed corporate major to return the huge bonuses or was there a greater force of GRC hovering around and influencing the decision.

GRC is essentially having a mechanism which prudently introspects the strategies, goals and objectives and policies/procedures, examines whether the risk management systems identify, measure and monitor the various business and regulatory risks and ensuring that the processes and activities revolving around the compliance function are efficient. More significantly it has to ensure that there is a perfect synergy with the business performance process.

From a CEO perspective,  it is balancing the delicate act of assuring business performance to the various stakeholders and at the same time ensuring the accountability aspects are completely covered and being transparent to demonstrate that all three aspects of G,R and C are acting in perfect symphony.

Increasing regulatory pressures across different geographies in which a globalize bank operates requires more executive focus on compliance management than before. The Chief Compliance Officer as a function is assuming very high levels of significance. In the case of banks where the government prevented their going down under, the CEO/CFO and other CxOs are spending more time liaising with the Central Banks, Regulatory authorities and the Government.

Executive Management used traditional business performance parameters like Spread and Profitability, Risk Adjusted Return on Capital (RAROC), Economic Value Added (EVA), Revenue growth, Market share, Market value/Shareholder value, Brand value, and Customer satisfaction and of course, the much bandied Capital Adequacy Ratio. Some banks whose CARs were almost double that of Basel II norms have vanished off the face of the earth. GRC requires executive management to continuously evolve the business performance measurement parameters by increasing the scope and boundaries of KRIs and KPIs. Will sustainability indices also be as effective as CAR?

Liquidity risk management requires considerable focus both in terms of conceptualizing a mechanism to measure and monitor it and creating and maintaining technology systems for the same. Operational Risk is another area where management attention is being increasingly provided. Creation of separate identity for operational risk function is the first step to put in place frameworks for RCSA, KRI, loss tracking assessment, incident management.

An operational risk failure does not merely reflect the process and control inadequacy. It directly results in a loss whether credit/market/liquidity or if extrapolated to strategic levels the collective failure of the Board itself which did not create and maintain appropriate GRC mechanism. In this context, the roles and responsibilities of Internal Audit function has gained the required focus. Further, Internal Audit and Operational Risk functions should complement and supplement each rather than operate independently. An Integrated GRC mechanism with broad based risk taxonomy structures which are shared by all functions would be very useful in this regard. 

No bank is an Island – The Banking eco system
The fundamental business of a bank is to accept deposits and lend money and provide remittance and other services. It may seem very anachronistic but the core kernel of banking activities revolves around these two activities. By performing those banks earn their basic profit (Net Interest Margin). These activities are impacted by key economic environmental factors like core demand/supply, regulatory requirements, competitor behavior etc and are triggered by the specific bank’s culture and credo. The banks operate in an eco system which includes direct customers, customers of customers, money suppliers, competitors and others, encompassing the entire gamut of the core business domain and the extended enterprise. The chain impact can be felt at bank’s level when customers’ customers’ position undergo a change in the financial scenario. All players in the ecosystem can’t be deemed as independent …they are actually inter-dependent. The controlling bodies demand compliance from banks to its regulatory directives. Therefore, Governance Strategy of the Bank will be impacted and influenced by the behavior of these various forces in the eco-system. It also needs to be recognized that banks themselves influence the eco-system by their culture and behavior. A la Catch-22 !!??
The world may have become flat but in that process has a created a situation where financial insulation cannot be taken for granted. The contagion/domino effect of external events significantly impact let alone the growth but bare minimum survival of venerable financial institutions.

GRC and Performance Conundrum
The current focus of banks may be on survival and stabilizing the strategy, tactics and operations. What is more important is that they need to define the core philosophy and culture which will act as the fundamental thought process for them to grow, make profits and be good corporate and public citizens. That will influence the business streams and associated revenue models. Executives need to answer honestly (??!!) “How am I going to get my core revenue in the next 5 years and how will my capital management policy influence it?”. The cost and risk associated with the business streams will need to be analyzed with a conservative and consistent outlook. What may be considered as prudent (when Derivatives was considered as a safe enough environments) may turn out to be not so, at least in the short term. The risk appetite of an organization will be driven by the core philosophy and culture. What is excessive risk is something that will differ from one to another organization. This has a direct link to the cost of survival of the organization itself and all its associated stakeholders like investors, employees, vendors. It is essential that the contagion/domino impact of a bad business decision of a single entity be as minimal as possible on the overall economic environment. The need for an overarching GRC which would encompass all the stakeholders of the eco-system is recognized. Is it an utopian dream?

GRC Components
This section is based on Forrester’s view on the GRC components. 

The components of GRC are spread across five organizational layers viz. Governance Layer, Risk/ Compliance Layer, GRC Support Layer, Business Layer & IT Infrastructure Layer.

Governance Layer aligns performance with corporate objectives through providing right metrics & in-depth insight to Financial, operational and other data regarding the overall health of the business including corporate board’s information management. The components are Dashboards, Audit management, CSR management, Board/Entity management etc.

Risk/Compliance Layer establishes rules for business operations through collection and analysis of data from business systems, GRC support systems, business and IT control systems. The components are policy & procedure management (IT & business), Risk & control management, Issue & Action management etc.

GRC Support Layer collates important information that contributes to broad risk and compliance management and performs specialized functions like financial risk management. The components are legal/case mgmt, Asset mgmt, Environment mgmt, Quality mgmt, whistle blower hotline, Credit/market risk management, Regulatory/ risk content feed, etc.

Business Layer translates compliance policies into business level controls. The components are Segregation of Duties, Trade compliance, Anti Money laundering, Fraud prevention, prevent unauthorized actions etc.

IT infrastructure Layer assures that information is properly controlled. The components are Data security, content security, access control, application security etc.

While integrated GRC is an enterprise endeavor, the components of Governance, Risk & Compliances its inter dependencies are spread across five organizational layers.

The functionality of each layer & its few of the related components are as listed below 

SI# Layer Personality Sample Components
1 Governance Layer -Visibility through the full spectrum of enterprise and operational risk
-Align performance with corporate objectives
-Provides metrics & in-depth insight to Financial, operational and other data regarding the overall health of the business
-Manages information, scheduling & workflow of corporate boards 
Risk & compliance(Enterprise & IT) Dashboards with analytics, Audit management, CSR management, Board/ Entity management etc.,
2 Risk/Compliance Layer – Hub for GRC - Policy & Procedure management (both IT & enterprise)
 -Collection and analysis of data from business systems, GRC support systems, business and IT control systems
- Risk & control management
- Issue & action management
-Risk & control assessment
- Define and manage IT controls
-Interface between IT GRC & Enterprise GRC
-Translate policies into controls to distributes into different systems & users 
Control definition & integration, control/policy mgmt, Manual/ automated risk & control assessment etc.,
3 GRC support Layer - Carry out essential elements of a comprehensive GRC program like Financial risk management, keep GRC programs updated on regulatory changes, help employees adopt proper conduct, collect anonymous reports etc.,
-Collate important information that contributes to broad risk and compliance management like capital investments, Employee health & safety, Hazardous materials and pollution, litigation, product quality etc.,

Whistle blower hotline, Credit/market risk management,
Regulatory/ risk content feed,

legal/case mgmt, Asset mgmt
Environment mgmt, Quality mgmt, etc., 

4 Business Layer - Translates compliance policies into business level controls  Segregation of Duties, Trade compliance, Anti Money laundering, Fraud prevention
prevent unauthorized actions
5 IT infrastructure Layer - Assures that Information is properly controlled ata security, content security, access control
application security 





















GRC maturity
It would be a simplistic assumption that attaining GRC maturity can be done by putting together the processes around the GRC components supported by an appropriate technology infrastructure to support the processes. It is an onerous task to plan for a GRC journey which will be strewn with not only craters but also be impacted by many Black Swan events.

The main concern of a GRC program would be to address the issue of operating in “silos”. Walls have been created around functions, processes and systems over time due to the absence of an integrated approach. For example a suspicious transaction in a Business Account of a bank would be viewed differently by the Compliance function (AML, Patriot Act), the operational risk unit (Basel II), the internal audit policy. The threshold limits for the value and volume of exceptions may also vary depending on the three perspectives. Maybe at the end of the quarter there will be someone reconciling the data from the three systems. GRC should set up a process and system where the three perspectives mentioned have been provided due consideration at the earliest stages of the planning process. This would ensure that a tight cohesion between operations, policy and strategy from a compliance, risk and audit is enabled. The need to set up cross functional teams/task forces is imperative. Compliance and Regulatory management needs to be move beyond a mere rule based, external authority driven function to one which manages the internal code of conduct, ethics, sustainable business practices.

An attempt has been made to picturise the GRC maturity journey which is represented below. This is a n initial and generic model which would be continuously refining itself based on the lessons learned as the GRC processes and systems are planned and implemented.

The factors or infuencers for the level of GRC Matruiry is depicted in the diagram below:

Current Focus and outlook
A CFO of the banking industry goes something like this..

“With the increased regulatory activism across the different ponds of the world, the C (Compliance) aspect of GRC has increased in focus, we don’t have how many more Accords are going to come up, how much more data and number games are going to be played? We are also supposed to be highly mature in Risk Management.

We can always manage Liquidity risk like what we have been doing since times immemorial. Whats maybe required is more attention on the Governance aspect. Are there going to be parameters and metrics to measure aspects like Greed, Avarice, Financial and Societal Stakeholder Priorities in addition to sustainability indices?”

A recent Tower Group report also seems to concur with the above thought process at a broad level.

There maybe some more pressure to go beyond numbers and start thinking about Business Ethics. However this aspect is a reflection of the Organisational Culture which requires deep introspection into the essential philosophy of each of them. Is the Anna Hazare movement in India against systemic corruption another Black Swan event? Or will iit a trigger a societal awakening of the larger aspects of business and economics if applied to both the corporate and the society at large. Time is a great healer, of course, so we will await the next cycle of scandals and regulations. 

Suresh Sankaran, Country Head, Europe (Middle East & Africa), Kamakura Corporation, London, United Kingdom
Suresh now heads the EMEA operations of Kamakura Corporation.

He has authored several papers on liquidity management and alternative methods of liquidity measurement. He is also a featured speaker in the workshops and seminars organised by the Financial Stability Institute, a
division of the Bank for International Settlements (BIS).

Shyam Sundar Krishnamurthy is the head of the Governance, Risk and Compliance Practice of Tata Consultancy Services Ltd (TCS). He is currently involved in engaging with senior management of Global Banks and Financial Institutions in the conceptualization and design of GRC frameworks. He has led assignments relating to Risk. Capital and Profitability Management and Compliance in the United Kingdom, Europe, United States, South Africa, and India, and was one of the founders of the Strategic Performance Management Practice of TCS and evolved performance management models for Global Clients which included concepts like Activity Based Management and Balanced Scorecards

The views expressed in this column are the author's own and do not necessarily reflect this publication's view, and this article is not edited by Asian Banking & Finance. The author was not remunerated for this article.

Do you know more about this story? Contact us anonymously through this link.

Click here to learn about advertising, content sponsorship, events & rountables, custom media solutions, whitepaper writing, sales leads or eDM opportunities with us.

To get a media kit and information on advertising or sponsoring click here.

Suresh Sankaran

Suresh Sankaran

Suresh Sankaran, Principal Operations Officer - International Finance Corporation, The World Bank Group Washington DC, United States of America

Contact Information