GRC IN BANKS

GRC which stands for Governance, Risk & Compliance is a new way of setting up integrated internal controls mechanisms in Banks that would aid as facilitators in building a framework for better risk management.

Today, Banks are faced with varied Risks such as Compliance Risks, Operational Risks, Financial Reporting Risks, Reputational Risks, etc. The question which arises is how to manage and mitigate these risks. Is there any centralized and integrated framework that helps central monitoring and also helps from a cost-effectiveness perspective? If these are motives, then I would suggest the GRC framework as an answer to establishing a strong risk and control framework.

The objective of managing Compliance Risk is to achieve better regulatory compliance, likewise, for Operational Risk Basel compliance is the benchmark. For Finance, internal control over financial reporting in the form of SOx Compliance is the end objective. These objectives can be achieved if GRC is implemented by documenting the following:

1. Documenting process followed at the Bank-wide level
2. Documenting Risks at the Bank
3. Documenting controls, controls can be common as well to mitigate multiple risks
4. Preparing a mapping of risks and controls with processes. If one can aim to map products then that would be great.
5. Doing a risk assessment exercise.
6. Finally, preparing a dashboard for management on the overall performance of various risks.

The pertinent question which arises while implementing GRC is how do we achieve uniformity of objectives and cost-effectiveness? The simple answer to these questions are enumerated below:

• Risks such as Compliance, Operational, Financial Reporting, Reputation, etc. may be of unique nature. However, there can be common or unique control that would be mitigating these risks. Hence, the use of a common risk library would facilitate Banks in reducing audit fatigue.
• All the repositories of risks at the bank-wide level would be available in one place.
• Data to top management in the form of MI or a dashboard can be easily accessible.
• Feeds can be provided to Audit for Internet Audit purposes.
• Thematic reviews can be done as slicing and dicing of data in a GRC setup can be done smoothly.

Thus, there are many positives of implementing a GRC framework which definitely requires the Bank’s management sponsorship so that teams can dedicatedly work for a common goal and the project can be implemented in a time-bound manner.

Recently, Banks are faced penalties from RBI on account of lapsing internal control mechanisms. In order to avoid such instances, GRC can come handy. With in-depth analysis of processes and risks and controls mapping the changes of control gaps are mitigated which results in changes of no failure situation.

The next big question while implementing GRC, is whether big investment and support of knowledge and technological vendor would be required. The answer is yes, to a certain extent. With vast banking experience, an in-house team can be set up keeping the clear expectations of the management and with the internal team, the best technological vendor support can be sought for providing the off-the-shelf GRC module for suiting the immediate need.

Lastly, in the journey of GRC implementation, the following aspects should be kept in mind, which come to my mind basis prior experience:

1. The tone should be set at the top of my management. Management sponsorship is a must.
2. Dedicated project review team to be set up for timely review.
3. A specialized team from each workstream should be formed.
4. Timelines are to be tracked rigorously.

Thank you.

Abhishek R Sharma