Beruflich Dokumente
Kultur Dokumente
Executive Summary
The concept of combining risk management and compliance activities is not new. It has long
born the name "governance, risk management, and compliance," or GRC, although in practice,
GRC has historically defaulted to the "C" part of the acronym. That is, most implementations of
GRC are about compliance only. Governance is often relegated to the steps required by
regulation and not treated as integral to a financial services institution's (FSI's) risk appetite,
business objectives, or control processes. Risk management has largely been ignored as well in
defining GRC and developing technologies to support it. However, as a separate discipline, it has
played a central role in the financial services industry. Even with the recent addition of analytics
and enhanced data access capabilities, most FSIs have failed to gain a cohesive, holistic view of
risk across the entire company which their boards of directors and management can address.
Although compliance and risk management have commonalities, they are not the same thing.
Risk management must be based on the FSI's business plans and risk tolerance. Compliance
rules may set some hurdles or limits, but they do not manage risk, as evidenced by the fact that
many of the FSIs that failed or nearly failed during the recent financial crisis were in compliance
with regulations. Today, an integrated, firmwide view of risk is especially necessary in light of
new demands for more sophisticated capital and liquidity management. Global regulatory bodies
are rapidly becoming more expert in the techniques needed to manage risk. In light of emerging
business and regulatory trends, now is the time to develop a meaningful integration path for
compliance and risk management and to incorporate a sound governance approach to both, one
that results in the realization of the full promise of GRC. The journey toward that integration has
already begun.
This report reviews frameworks for integrating governance, risk management, and regulatory
compliance. The following concepts are key: Building a holistic framework or architecture into a
business at the process level is the best means of integrating the various aspects of risk
management and compliance firmwide. Deploying new frameworks and architectures
incrementally increases their sophistication and value over time while expanding their usage
throughout the FSI. Solutions with crossover ability for risk management and compliance will
evolve, becoming customized as FSIs discover new ways to use the framework. The structure of
the governance element in GRC depends on an FSI's business model, the nature of its lines of
business and internal functions, and who conducts those functions.
Exhibit 1
2
Risk Policy
Business Strategy,
Objectives, Goals
Risk Culture
Financial
Risks: Credit,
Market,
Operational
Nonfinancial
Risks
(Strategic,
Reputational)
Pillar II Risks
(Liquidity,
Concentration,
IRRBB)
Retail/Consumer
Risk
Governance
Capital Markets
Special Assets
Support
Functions (HR,
IT, Legal,
Marketing)
Commercial
Securitization
Risk Appetite
Risk
Assessment
Qualitative
Scoring
Risk
Aggregation/
Correlation
Retail
Modelling
Segmentation
Regulatory
New VaR
Methodologies
Capital Calculations
Risk
Prioritization
4
Trading Book (On
Balance Sheet,
Client Specific)
Banking Book
Business Processes
Mitigants
Economic
Insurance
Leverage Ratio
Risk Appetite,
Tolerance, Limits, KPI
Risk-Based
Internal Audit
ALM
Credit Origination
Trading
Corporate Finance
Structured Finance
9
Capital Planning/Projection
Netting
Capital
Projections
Deposit Netting
(IDNA),Derivative
Netting,Repo
Netting
Projection of
Delinquencies,
Expected Loss
Guarantees
Collateral
RAPM,
RAROC
Hedge
Material Risks
Risk Quantification
Risk
Identification
Assets
Business Units
Earnings at
Risk
10
11
Risk-Based Supervision
(Regulator)
Validation of
Internal Model
Back Testing
12
Disclosures/Reports
External Reports
Quantitative
(COREP, FFIEC)
Internal Reports
Living Wills
MIS
Audit
Source: TCS
The TCS framework as shown in Exhibit 1 appears complex, but it captures logical and longknown aspects of risk. Most of the elements of the framework already exist in the FSI, albeit in
2
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.
3
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.
early warning system. Traditional metrics can be used such as RAROC, earnings at risk, and
market value of equity.
Risk monitoring and controls (station 11) serve as a feedback loop. Although depicted as a
layer in the architecture, risk monitoring and controls could just as well be cyclical since they are
the means of oversight and validation of the work done in the previous stations. Note that both
internal adherence to the bank's risk objectives and regulatory oversight are necessary at this
station to ensure the quality of the integrated whole. This station monitors the risk appetite and
risk tolerance levels set earlier for enterprise, the business units, and portfolio(s) through key
performance indicators (KPIs). Risk-based internal audits need to be carried out periodically to
review the identified risks and the quality of risk assessments.
Reports (station 12) deliver business intelligence (BI) to fulfill both internal and external
reporting requirements. Regulators are increasing the accountability of financial services
institutions for delivering on-demand audit and regulatory reporting. It is impractical to build BI
and reporting functions separately because doing so would result in unneeded costs and
duplication of underlying data that is common to both risk and compliance needs. Separate
reporting also increases the risk that regulators might view the firm differently than management
does. As for business value, it is in this station that the feedback loop to the business strategy at
station 1 is completed as well.
This framework is by definition a high-level view and therefore does not detail the technologies
and specific areas of expertise involved, but TCS offers documentation to support its
implementation. As is the case with many vendors today, the company also provides professional
services to augment internal resources in the design and implementation phases.
Although the quality of operations depends on the FSI having the right expertise, TCS can
provide support through consultants in leveraging IT assets, data, expertise, and skills as a form
of convergence of the risk management and audit and control functions, especially for those
functions found at stations 8 (quantification), 10 (measurement), and 11 (retesting and
revalidation). The integration of data and technology for more than one function creates efficient
use of resources and allows for both operational self-assessments and independent audits
because common features have value in reusability. These are invariably organized along three
lines of defense:
The line manager, who is responsible for the self-assessment and incident reporting
under his or her respective functions,
and
their
The TCS Integrated Risk Management Framework provides orchestration for many of the existing
one-off risk management processes and allows for aggregation of risk at the company level,
where both capital and liquidity can be managed more effectively.
4
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.
High, High
Low, High
Low, Low
Source: TowerGroup
(1) Architecture specialized in S&I.
(2) Architecture specialized in insurance.
It is no surprise that the more general the framework, the easier it is to assemble point solutions
from across the risk and compliance spectrum. Thus, generalized frameworks like that offered by
Capgemini and TCS have built-in flexibility that allows them to more naturally serve both risk
and compliance. Wolters Kluwer's solutions have evolved from the compliance side, beginning at
loan origination, and thus are heavily tied to compliance processes and documents created
through those processes. At the other end of the spectrum, GoldenSource's Risk Hub is built to
provide risk management insight at the point of a trading decision. Although this makes it a
5
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.
leading risk tool, there are limits to its native capacity to serve as a compliance framework. Both
Wolters Kluwer and GoldenSource as well as other solutions are now broadening the focus of
their solutions. Wipro and Infosys solutions are built around operational risk, and SAS has
focused on capital allocation, while FICO addresses a broader range of enterprise decisions and
not just risk management per se.
The TCS framework is currently one of the leaders in balancing risk and compliance. While its
framework is advanced in design, the ease and quality of implementation are highly dependent
on the ability to access and leverage the right data within the operational workflow of the FSI. By
pulling information from many underlying risk management point solutions, broader integration
is accomplished in a logical manner with some technological support both to calculate firmwide
risk and to visualize and understand that overall risk. As for compliance, the solution enables
access to data from across the framework and integrates that into reporting capabilities for
compliance. Perhaps more important, the approach creates a feedback loop on which FSI
governance can take action to improve risk management.
Sound policy limits for total risk exposure at any given time, including the risks
associated with noncompliance
Visibility and transparency into each area of risk and compliance, no matter where it
resides in the company
Human resource measurement and training on risk and compliance within an ongoing
process
The expectation (the corporate culture) that all risks and compliance issues identified will
be brought into the open
As one examines the solutions discussed above, it is clear that for technology to contribute to
better governance, it must work effectively at both the compliance and the risk management
levels. In short, the technology needs to find itself in the upper right quadrant of Exhibit 2 with a
high rating in both risk and compliance. It needs to afford an increasingly holistic view of both
and report that view in a manner that is easily understood and on which those responsible for
governance can act.
6
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.
Conclusions
Governance, risk management, and compliance is a concept that has failed to live up to its
promise in the financial services industry. Although both financial services institutions and
technology vendors have pursued GRC, most have been successful in delivering only on the
compliance aspect, leaving the other two elements only loosely associated with the concept. With
changes to global regulation and the increasing costs they entail, the demand for better risk
management, and the need for enhanced governance acumen, new and emerging architectures
and frameworks are beginning to address these historical shortfalls. As these technologies,
solutions, and processes improve, FSIs should engage proactively with leading vendors in
building the evolutionary roadmap for sound governance, holistic risk management, and effective
compliance.
Tata Consultancy (TCS) commissioned TowerGroup to combine existing research and analysis of
risk management trends, solutions, and technologies in the financial services industry. The
content of this report is based on two previously published TowerGroup Research Notes:
V65:16B, From Cohabitation to Wedded Bliss? The Future of Governance, Risk Management, and
Compliance (GRC), and V65:15B, From Frameworks to Architecture: Holistic Risk Management
Matures Across Financial Services. The content of these reports and this document are the
product of TowerGroup and are based on independent, unbiased research not tied to any vendor
product or solution. Although every effort has been taken to verify the accuracy of this
information, neither TowerGroup nor the sponsor of this report can accept any responsibility or
liability for reliance by any person on this research or any of the information, opinions, or
conclusions set out in the report.
7
2011 The Tower Group, Inc.
May not be reproduced by any means without express permission. All rights reserved.