Implementing an IT-GRC Program
Ker Shing Chock, Head of Legal & Compliance, DBS Bank, Malaysia
Ker Shing Chock, Head of Legal & Compliance, DBS Bank, Malaysia
The concept of GRC is nothing new but the entire framework itself is feeling the heat due to growing regulatory environment (especially after the financial collapse of 2008), higher business complexity, increased demands for more accountability, and rapid proliferation of new risks.
Generally, GRC initiatives will always require business and IT to work together, as many of the risks and challenges in GRC landscape cannot be solved efficiently without specific IT tools. Hence, the term “IT strategy” has been used commonly in the context of GRC process enhancement. This notwithstanding, one should always bear in mind that the software is not the strategy; without a solid governance structure as a foundation, no solution will adhere to compliance.
An effective GRC strategy requires top management to bring order to GRC activities across the organisation – that is, across all business functions and units, all underlying IT infrastructure and all geographies. This is particularly important because when corporate GRC are fragmented, it implies a higher expenditure of time and money, causing significant misallocation of financial and human resources.
To develop a coherent GRC approach across the organisation whereby management can have a firmer handle on risk from all aspects, a common GRC technology platform (IT-GRC) may be of utmost importance, apart from having a common framework to define the group-wide GRC principles; approve policies, provide guidance to different segments of GRC initiatives, and authorize any GRC-related technology investments.
A good IT-GRC platform should consider embedding stronger financial controls and compliance objectives, and not just a mere system upgrade to meet the ad-hoc requirements. A successful IT-GRC implementation can enhance business processes from two broad aspects:
(a) Information Resource Management
It is undeniable that both private and public sector executives are battling against a tide of information, which organisations and their staff cannot easily cope up with. Under the common IT-GRC platform, fragmented information can be brought together and streamlined so that employees are able to rely on those comprehensive data to support their analytics, reporting, business rule and end-point decision making.
This can be achieved by coming up with a common repository for all policy documents, regulatory updates, training materials and other compliance resources.
A Good IT-GRC Platform Should Consider Embedding Stronger Financial Controls And Compliance Objectives
Under a central location where data is stored and managed, users are not just able to create new policies and controls and map them to the regulations and internal requirements, but also able to assess whether the controls are in place and working, and fix them if they are not.
In addition, effective information governance through a common IT platform will also help business to extract data for all GRC-related reporting across departments and across domains, which allows upper management to compare the GRC performance of different business units and identify risks on a real-time basis.
(b)Risk Management
Risk is inherent in everything we do and the portfolio of risk is broadening as new stresses and challenges continue to emerge.
To manage both internal and external risks of an organization, the most common and systematic approach would involve:
(a) Identification; (b) Analysis; (c) Evaluation; (d) Responding; and (e) On-going monitoring and reviewing risks, whereby the same will be embedded in most software solutions that supports the end-to-end risk management process.
That being said, we all recognize that risks do not exist in isolation. They interact with other events and conditions. Hence, to ensure that various risks are being managed and mitigated effectively within a common IT-GRC platform, it is important to understand and identify the correlation between different risks. Techniques such as risk-interaction matrices should be developed as part of the GRC tools for segmenting users, to prevent the impact of some risks that are underestimated in classical methods.
Malaysia IT Governance and Compliance
Back in the year 2011, Malaysia Software Testing Board (MSTB) initiated the Malaysia Software Testing Hub (MSTH) program funded by the Government with an aim to facilitate and strengthen the nation’s governance, risk and compliance (GRC) framework. In essence, the testing is to ensure the underlying IT components of the GRC framework are thoroughly tested for functionality, integrity, security, and so forth.
From banking and financial perspectives, the country’s central bank, Bank Negara Malaysia (BNM) had in October 2016, set up a Fintech regulatory sandbox framework for financial institutions and FinTech companies to experiment and test out innovations that:
(a) Improve the accessibility, efficiency, security and quality of financial services;
(b) Enhance the efficiency and effectiveness of Malaysian’s financial institution’s risk management; or
(c) Address the gaps in financing or investments in the Malaysian economy.
This concept of regulatory sandbox framework is not new as UK, Singapore and Australia are also encouraging the development of FinTech innovations. Banks are investing heavily in new technologies, and spending is expected to grow continuously as banks seek to take advantage of new IT and digital solutions to make their operations more efficient, comply with regulators while simultaneously interacting with customers in order to maintain competitiveness.
Conclusion
Today’s era is less about major rewrite of risk and compliance frameworks, and more about rapid response towards the fast-changing environment with big data. As corporates embark on new strategies and change by leveraging digital technology, effective governance from top level is essential to getting a comprehensive IT-GRC platform implemented. It requires an innovative approach not only of technology but of the entire management system.
