TowerGroup

A CORPORATE EXECUTIVE BOARD Company

Senior Research Director

Financial Services Strategies and IT Investments
February 2011

The Future of Risk Management:

Getting GRC Right
Rodney Nelsestuen
Financial Services Strategies and IT Investments
February 2011

Executive Summary
The concept of combining risk management and compliance activities is not new. It has long
born the name "governance, risk management, and compliance," or GRC, although in practice,
GRC has historically defaulted to the "C" part of the acronym. That is, most implementations of
GRC are about compliance only. Governance is often relegated to the steps required by
regulation and not treated as integral to a financial services institution's (FSI's) risk appetite,
business objectives, or control processes. Risk management has largely been ignored as well in
defining GRC and developing technologies to support it. However, as a separate discipline, it has
played a central role in the financial services industry. Even with the recent addition of analytics
and enhanced data access capabilities, most FSIs have failed to gain a cohesive, holistic view of
risk across the entire company which their boards of directors and management can address.
Although compliance and risk management have commonalities, they are not the same thing.
Risk management must be based on the FSI's business plans and risk tolerance. Compliance
rules may set some hurdles or limits, but they do not manage risk, as evidenced by the fact that
many of the FSIs that failed or nearly failed during the recent financial crisis were in compliance
with regulations. Today, an integrated, firmwide view of risk is especially necessary in light of
new demands for more sophisticated capital and liquidity management. Global regulatory bodies
are rapidly becoming more expert in the techniques needed to manage risk. In light of emerging
business and regulatory trends, now is the time to develop a meaningful integration path for
compliance and risk management and to incorporate a sound governance approach to both, one
that results in the realization of the full promise of GRC. The journey toward that integration has
already begun.
This report reviews frameworks for integrating governance, risk management, and regulatory
compliance. The following concepts are key: Building a holistic framework or architecture into a
business at the process level is the best means of integrating the various aspects of risk
management and compliance firmwide. Deploying new frameworks and architectures
incrementally increases their sophistication and value over time while expanding their usage
throughout the FSI. Solutions with crossover ability for risk management and compliance will
evolve, becoming customized as FSIs discover new ways to use the framework. The structure of
the governance element in GRC depends on an FSI's business model, the nature of its lines of
business and internal functions, and who conducts those functions.

TowerGroup Research is available on the Internet at www.towergroup.com

2011 Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.

The Future of Risk Management: Getting GRC Right

Manage Risk and Make Compliance a By-Product

To comply with regulations, financial services institutions must first successfully manage their
risk environment. After all, failure in risk management can lead to destruction of the institution
and then what is there to regulate? Regulatory compliance can be a by-product of the risk
management practices, controls, and processes that an institution puts in place if they are done
well. The first of the frameworks reviewed in this paper is that of TCS.

TCS Integrated Risk Management Framework

Since the global financial crisis began, interest in the integrated risk management concept has
been gaining momentum and evolving. TCS Integrated Risk Management Reference Architecture
Framework is aimed at gaining a comprehensive understanding of risk across all business
functions, internal lines of business, and subsidiaries throughout the firm. Twelve integral
components of the business architecture define the target state for banks adopting this holistic
risk management approach. The components deal with risks that have come under scrutiny in
the financial crisis, industry best practices, and the Basel II requirements of the Bank for
International Settlements as well as requirements of national regulators around the globe.
Although the architecture is thorough, its value to an FSI is only as good as the extent to which
risk management is integrated into strategic decision making across the institution and in its
day-to-day business operations. An integrated framework such as depicted in Exhibit 1 must
support both strategic considerations and tactical execution. Clearly, the value of strategy is lost
unless it can be operationalized, and a tactical approach is only as good as its application and
often wholly dependent on individuals for execution.

Exhibit 1

TCS Integrated Risk Management Reference

Architecture Framework
Risk Context
1

2
Risk Policy

Business Strategy,
Objectives, Goals
Risk Culture

Financial
Risks: Credit,
Market,
Operational

Nonfinancial
Risks
(Strategic,
Reputational)
Pillar II Risks
(Liquidity,
Concentration,
IRRBB)

Retail/Consumer

Risk
Governance

Capital Markets
Special Assets
Support
Functions (HR,
IT, Legal,
Marketing)

Commercial
Securitization

Risk Appetite

Risk
Assessment
Qualitative
Scoring

Risk
Aggregation/
Correlation

Retail
Modelling
Segmentation

PD, LGD, CCF/EAD,

VaR, AMA (PE, LGE)

Regulatory

New VaR
Methodologies

Integration of RCSA, KRI,

and Loss Data

Capital Calculations

Risk
Prioritization

4
Trading Book (On
Balance Sheet,
Client Specific)

Banking Book

Business Processes

Mitigants

Economic

Insurance

Leverage Ratio

Risk Appetite,
Tolerance, Limits, KPI

Risk-Based
Internal Audit

ALM

Credit Origination

New Product Launch

Trading

Corporate Finance

Structured Finance

9
Capital Planning/Projection

Netting

Capital
Projections

Deposit Netting
(IDNA),Derivative
Netting,Repo
Netting

IFRS Loan Loss

Provisioning

Projection of
Delinquencies,
Expected Loss

Risk-Based Performance Measures

Guarantees
Collateral

RAPM,
RAROC

Hedge

Material Risks

Risk Monitoring and Control

Trading Book (Off

Balance Sheet,
Proprietary)

Risk Quantification

Risk
Identification

Assets

Business Units

Earnings at
Risk

10

11
Risk-Based Supervision
(Regulator)

Validation of
Internal Model

Back Testing

Stress Testing and

Scenario Analysis

Business Intelligence/Reporting Extracts

Components
in Focus
Postcrisis

12

Disclosures/Reports

External Reports

Quantitative
(COREP, FFIEC)

Qualitative (Risk Policy,

Governance)

Internal Reports
Living Wills

MIS

Risk KPI Dashboard

Audit

Source: TCS

The TCS framework as shown in Exhibit 1 appears complex, but it captures logical and longknown aspects of risk. Most of the elements of the framework already exist in the FSI, albeit in
2
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.

The Future of Risk Management: Getting GRC Right

an uncoordinated fashion, making this a practical approach to coordination, aggregation, and

integration of risk.
The exhibit depicts the functional view of the TCS Integrated Risk Management Framework from
the perspective of integrating market, credit, and operational risk functions. When extended
enterprise-wide, reckoning all the other residual risks, it assumes the stature of an enterprise
risk management (ERM) framework with relevant structural internal and external linkages
together with governance and compliance dimensions.
Risk context is established in stations 15 in the exhibit, which aligns risk management strategy
with current and intermediate objectives. Combining the elements of business strategy with the
FSI's culture, risk appetite, and governance approach and aligning them with the business units
ensures the FSI of follow-through from strategy to execution. Note how these elements are
rolled out across all business units and product lines. Finally, mapping business processes across
all asset types and support functions captures the "softer" elements of operational risk
associated with day-to-day activities.
Risk identification (station 6) is the platform for gathering all of the traditional domain area
risks, from market, to credit, to operational risk and addresses risk from the perspective of Basel
requirements. (At this juncture, it identifies operational risk within FSI functional and
management areas as product and delivery operational risks.) In this area of the framework, an
FSI could also insert compliance matters that change from time to time.
Risk assessment (station 7) is qualitative and should be supported by a scoring process. This
major function of the governance team requires the scoring mechanism to be completed at a
high level by senior personnel who are not too buried in detail to understand the overall nature
of the FSI. The results captured by this assessment allow for the prioritizing of risk based on
materiality, which may differ from one financial institution to another. The governance process
and personnel should indicate clearly which risks are most important. Of course, until the risks
are quantified, the final approach to risk management cannot be identified.
Risk quantification (station 8) captures the activities needed for quantification and scoring of
all identified risks. This "heavy lifting" area calls for significant volumes of data and the use of
analytics. The necessary elements most likely already exist in the FSI, perhaps in several places.
Coordinating these more technical aspects of risk quantification not only reduces duplication of
effort but also allows the organization to fill gaps in risk quantification that occur naturally due to
a lack of coordination among business units and functions. Having identified the material risks,
this quantification allows for both strategic and capital planning through risk aggregation and
correlation.
Capital planning (station 9) is tied to the strategic and operational plan of the FSI. Just as
financial planning follows the strategic plan, capital planning becomes the proof point as to
whether the FSI can fulfill the strategic plan goals. Leveraging the risk quantification techniques
used in station 8, the FSI can ascertain the sufficiency of capital on hand and project the capital
required in the future based on performing a range of stress tests or economic scenarios.
Risk-based performance measures (station 10) need to be embedded in the bank's decisionmaking processes. This work determines the success of the whole endeavor and can serve as an

3
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.

The Future of Risk Management: Getting GRC Right

early warning system. Traditional metrics can be used such as RAROC, earnings at risk, and
market value of equity.
Risk monitoring and controls (station 11) serve as a feedback loop. Although depicted as a
layer in the architecture, risk monitoring and controls could just as well be cyclical since they are
the means of oversight and validation of the work done in the previous stations. Note that both
internal adherence to the bank's risk objectives and regulatory oversight are necessary at this
station to ensure the quality of the integrated whole. This station monitors the risk appetite and
risk tolerance levels set earlier for enterprise, the business units, and portfolio(s) through key
performance indicators (KPIs). Risk-based internal audits need to be carried out periodically to
review the identified risks and the quality of risk assessments.
Reports (station 12) deliver business intelligence (BI) to fulfill both internal and external
reporting requirements. Regulators are increasing the accountability of financial services
institutions for delivering on-demand audit and regulatory reporting. It is impractical to build BI
and reporting functions separately because doing so would result in unneeded costs and
duplication of underlying data that is common to both risk and compliance needs. Separate
reporting also increases the risk that regulators might view the firm differently than management
does. As for business value, it is in this station that the feedback loop to the business strategy at
station 1 is completed as well.
This framework is by definition a high-level view and therefore does not detail the technologies
and specific areas of expertise involved, but TCS offers documentation to support its
implementation. As is the case with many vendors today, the company also provides professional
services to augment internal resources in the design and implementation phases.
Although the quality of operations depends on the FSI having the right expertise, TCS can
provide support through consultants in leveraging IT assets, data, expertise, and skills as a form
of convergence of the risk management and audit and control functions, especially for those
functions found at stations 8 (quantification), 10 (measurement), and 11 (retesting and
revalidation). The integration of data and technology for more than one function creates efficient
use of resources and allows for both operational self-assessments and independent audits
because common features have value in reusability. These are invariably organized along three
lines of defense:

The line manager, who is responsible for the self-assessment and incident reporting
under his or her respective functions,

Support functions, which are responsible for formulation of policies

implementation and ongoing coordination, investigations, and analysis

And finally, independent assurance in the form of audits

and

their

The TCS Integrated Risk Management Framework provides orchestration for many of the existing
one-off risk management processes and allows for aggregation of risk at the company level,
where both capital and liquidity can be managed more effectively.

4
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.

The Future of Risk Management: Getting GRC Right

From Compliance to Risk Management and Back Again:

Vendor Solutions Evolve
A holistic risk management framework is only half the story as FSIs look to the future. Driving
the integration of risk management with compliance are the need to better automate
compliance, reduce the cost of compliance, and improve the flexibility of reporting in order to
meet varied and rapidly changing requirements.
Structurally, most frameworks and architectures are a composite of technologies, communication
links, and analytics with different levels of proprietary application segments. These are
orchestrated with business processes and human interaction, which serve to integrate them.
Most solutions have emphasized either compliance or risk management, tapping into more
granular point solutions to bring the output from those solutions into a common taxonomy to
depict firmwide views.
The more granular the framework or architecture, the less universal the crossover from risk to
compliance (and vice versa). Specialization deepens a solution but narrows the breadth of
coverage. The more specific the framework, the less universal its applicability. The solutions
cited in Exhibit 2 are beginning to combine compliance and risk for more crossover between
these functions.
Exhibit 2

Risk and Compliance Architectures and

Frameworks: Different Purposes, Different
Value Propositions
High, Low

High, High

Regulatory and Compliance Value

Wolters Kluwer GRC with FRSGlobal

TCS Integrated Risk Management
Capgemini Risk Management
Wipro Operational Risk Management (2)
SAS Risk Framework for Capital Allocation
Infosys Operational Risk Management
FICO Decision Management
GoldenSource Risk Hub(1)

Low, High

Low, Low
Source: TowerGroup
(1) Architecture specialized in S&I.
(2) Architecture specialized in insurance.

Risk Management Value

It is no surprise that the more general the framework, the easier it is to assemble point solutions
from across the risk and compliance spectrum. Thus, generalized frameworks like that offered by
Capgemini and TCS have built-in flexibility that allows them to more naturally serve both risk
and compliance. Wolters Kluwer's solutions have evolved from the compliance side, beginning at
loan origination, and thus are heavily tied to compliance processes and documents created
through those processes. At the other end of the spectrum, GoldenSource's Risk Hub is built to
provide risk management insight at the point of a trading decision. Although this makes it a
5
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.

The Future of Risk Management: Getting GRC Right

leading risk tool, there are limits to its native capacity to serve as a compliance framework. Both
Wolters Kluwer and GoldenSource as well as other solutions are now broadening the focus of
their solutions. Wipro and Infosys solutions are built around operational risk, and SAS has
focused on capital allocation, while FICO addresses a broader range of enterprise decisions and
not just risk management per se.
The TCS framework is currently one of the leaders in balancing risk and compliance. While its
framework is advanced in design, the ease and quality of implementation are highly dependent
on the ability to access and leverage the right data within the operational workflow of the FSI. By
pulling information from many underlying risk management point solutions, broader integration
is accomplished in a logical manner with some technological support both to calculate firmwide
risk and to visualize and understand that overall risk. As for compliance, the solution enables
access to data from across the framework and integrates that into reporting capabilities for
compliance. Perhaps more important, the approach creates a feedback loop on which FSI
governance can take action to improve risk management.

Governance: Integrated and Yet Independent

Governance is not baked into an IT solution; nor should it be. The governance aspect of GRC
must become an enterprise activity involving top executives as well as an element of
responsibility in each employee's job. To accomplish this goal, several key aspects of an FSI
must be taken into consideration. The business model determines who and what is integrated.
Although every FSI faces operational factors that are both risk oriented and compliance oriented,
the structure of the governance aspect of GRC should depend on the nature of the lines of
business, the internal functions, and who conducts those functions (in-house, outsourced, hybrid,
etc.). The mix of responsibility for GRC will vary among FSIs as they begin to source more
services from external service providers in modes such as software as a service or platform as a
service (SaaS, Paas).
Companies need principles to guide them in administering the risk function dynamically. Among
the ingredients of effective risk governance are the following:

Sound policy limits for total risk exposure at any given time, including the risks
associated with noncompliance

Visibility and transparency into each area of risk and compliance, no matter where it
resides in the company

Human resource measurement and training on risk and compliance within an ongoing
process

The expectation (the corporate culture) that all risks and compliance issues identified will
be brought into the open

As one examines the solutions discussed above, it is clear that for technology to contribute to
better governance, it must work effectively at both the compliance and the risk management
levels. In short, the technology needs to find itself in the upper right quadrant of Exhibit 2 with a
high rating in both risk and compliance. It needs to afford an increasingly holistic view of both
and report that view in a manner that is easily understood and on which those responsible for
governance can act.

6
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.

The Future of Risk Management: Getting GRC Right

Conclusions
Governance, risk management, and compliance is a concept that has failed to live up to its
promise in the financial services industry. Although both financial services institutions and
technology vendors have pursued GRC, most have been successful in delivering only on the
compliance aspect, leaving the other two elements only loosely associated with the concept. With
changes to global regulation and the increasing costs they entail, the demand for better risk
management, and the need for enhanced governance acumen, new and emerging architectures
and frameworks are beginning to address these historical shortfalls. As these technologies,
solutions, and processes improve, FSIs should engage proactively with leading vendors in
building the evolutionary roadmap for sound governance, holistic risk management, and effective
compliance.

Tata Consultancy (TCS) commissioned TowerGroup to combine existing research and analysis of
risk management trends, solutions, and technologies in the financial services industry. The
content of this report is based on two previously published TowerGroup Research Notes:
V65:16B, From Cohabitation to Wedded Bliss? The Future of Governance, Risk Management, and
Compliance (GRC), and V65:15B, From Frameworks to Architecture: Holistic Risk Management
Matures Across Financial Services. The content of these reports and this document are the
product of TowerGroup and are based on independent, unbiased research not tied to any vendor
product or solution. Although every effort has been taken to verify the accuracy of this
information, neither TowerGroup nor the sponsor of this report can accept any responsibility or
liability for reliance by any person on this research or any of the information, opinions, or
conclusions set out in the report.

7
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.