*Excerpts from the fireside chat in the GRC Red Flag Series episode on 15th September 2022, featuring Michael Rasmussen, GRC Pundit, GRC 20/20, and Owe Lie-Bjelland, Director of GPRC Program, Corporater.
Michael: Owe, What are the challenges you see that financial services firms are facing?
Owe: Financial institutions are very familiar with generating profit from financial risks. The premise of these business models is upside risk. Non-financial risks, on the other hand, have traditionally been viewed solely as negative risks. Non-financial risks have become a huge cost to the banks due to the incurred direct and indirect financial losses. These potential downsides have grown in size over the decades, while the non-financial risk domain has grown in complexity. Thus, in the financial risk domain, the risk of loss resulting from using inaccurate models to make decisions is known as model risk, whereas in the non-financial risk domain, the concept of model risk is uncommon, and one may wonder which is the greater risk: an inaccurate model or a lack of a model. The scope and complexity of the non-financial risk domain have also introduced a range of organizational cost drivers that can be reduced and even eliminated in addition to the consequences of direct and indirect financial losses. Senior executives are facing issues in areas such as reputational damage, misconduct, security breaches, poor performance, and failure to comply with laws and regulations, to mention a few. According to our observations, banking and finance struggle more in the non-financial risk domain, and the lack of an overview of non-financial risks as well as the lack of a holistic GRC program, impacts their performance.
Many banks are focusing on performance, and they tend to define key performance indicators that are lagging in nature, meaning that they are recorded post-event.
From the perspective of a technology vendor, the most common challenge is to have a holistic view for assurance purposes. For instance, in a supervisor audit, they seek a complete assurance portal for compliance purposes. And many banks and insurance companies struggle to go from digitalized unstructured data like MS Word and PowerPoint into what we call real digitalization with structured data quality processes orchestration for the entire GRC domain. The NFR, or non-financial risk domain, is becoming so complex that it is very hard, or even impossible, to govern, manage, and assure a holistic GRC program without professional GRC software in place. However, the lack of a model for non-financial risk and how it affects performance is basically, a risk.
Michael: What’s more at risk – having a model or having an inaccurate model? The world is so dynamic and complex that our models oftentimes are quickly out of date. Models can never completely represent the real world because the real world has weighed so many variables in it. Models provide some approximation of the real world, but never accurately represent the real world. But, as the world changes, it requires that our models evolve and change with them as well. What do you think of that?
Owe: Having an inaccurate model is preferred over a non-existing model. We need to always improve, and that’s also a core principle in GRC — continuous improvement.
Michael: You brought up the acronym I love so dearly, Governance, Risk Management, and Compliance. What is GRC from your perspective?
Owe: I have adopted your definition of GRC, and I tend to communicate it as a toolbox to achieve performance objectives. For me, GRC is a wide umbrella that addresses everything that we can think of within the GRC domain. We have seen different acronyms lately, IRM for instance; it basically boils down to GRC. Many will think of GRC as governance, risk, and control, reflecting SOX and financial controls, but we believe in the wider definition of GRC. We believe that technology is an enabler for GRC, and it will not solve GRC on its own. We need people, processes, other tools, data for the holistic picture, and the technology that enables everything.
From the perspective of a technology vendor, the most common challenge is to have a holistic view for assurance purposes.
Michael: The reality is when organizations approach GRC, it’s almost backwards. Maybe we should call the acronym ‘CRG’ because it usually starts with compliance. They might move into risk, and down the road maybe hit governance. So, GRC becomes a compliance exercise, and then maybe risk management. Governance is often sidetracked and forgotten.
GRC is really about the reliable achievement of objectives. It is about those objectives, and those can be entity-level objectives at the highest level of the organization. They can be division, department, process, project, or even asset-level objectives. So, we’ve got different types of objectives, and governance about reliably achieving objectives while addressing the uncertainty, the risk to those objectives. Compliance should be the follow-through, not the starting point. That’s why I find Corporater so fascinating. Corporater started as a performance management solution, and then build risk in that context, and compliance in that context. So, you differentiate yourself out there to financial services firms and other industries by being that top-driven performance management focus. So, what is performance management from your perspective?
Owe: From our perspective, performance management is the capability to execute a strategy and achieve objectives. Performance in different areas of the business could be financial stability, increased profitability, compliance-related performance goals, resilience, and assurance. The list is very long, but on the top level, we can measure performance in the financial domain, strategic domain, compliance, resilience, and assurance, but compliance is the driver for governance and risks. For example, individual accountability and conduct – it’s a regulation in multiple countries and actually, mandates governance. So, in order to stay compliant with the senior manager regime in the UK, we need to have this proper governance around the senior managers. Another example is that we need to adopt a risk management system to stay compliant in different industries. For instance, banking and finance. So, it’s very much driven by compliance.
Michael: How do you define the relationship between GRC and Performance Management? Is it just the ‘G’ in GRC? I’m not sure if that’s your perspective because you’re also talking about ‘GPRC’. So, what is the relationship between GRC and Performance Management, and how should financial services organizations start thinking about how to approach it?
Owe: In performance, we have performance measurement, meaning that we are measuring the results of a capability, and performance measurement exists in many GRC disciplines. So, there is a performance aspect to most GRC areas.
For instance, in information security, there is a standard called ISO 27004 in the 27001 series that is a collection of different performance metrics for measuring the performance of the information security program. This is the most operational way of measuring our GRC program but all of these measurements can be aggregated up the chain of the program and expressed as operational, tactical, or strategic key risk indicators or key performance indicators. It all relates to the relationship between GRC and performance management.
Many will think of GRC as governance, risk, and control, reflecting SOX and financial controls, but we believe in the wider definition of GRC.
Performance is all about achieving objectives. Governance is about consistently achieving goals, and a part of it is about performance. Let’s take an analogy – what is the purpose of breaks in cars?
The purpose of breaks is to be able to stop the car but the primary outcome of breaks is actually to go fast. We may push on the breaks of a car as a passive risk manager, but as a business-aligned risk manager, we will reduce the uncertainties for the business to move faster. In credit risk, for market liquidity concentration, there is a more direct relationship between risk and financial performance, but in the non-financial risk domain, it’s more subtle and intangible. It is an ever-changing domain that spans the entire organization, both horizontally and vertically. For example, an information security program that is not performing will pose a risk to the bank that might have consequences for performance on many levels. Many banks are focusing on performance, and they tend to define key performance indicators that are lagging in nature, meaning that they are recorded post-event. They show what has happened and in most instances, we cannot do anything about it. But in the risk domain of leading indicators, key risk indicators, if designed correctly, will show the indicators of the likelihood of something happening and the consequences for your performance if the scenario materializes. So there’s this cause-and-effect relationship between the operational, tactical, and strategic domains. We can call it the value driver tree with early warning detectors. It’s an intrinsic model that can be digitalized to achieve business value or principled performance at many levels.
Michael: This sort of comes together in what you call GPRC – Governance, Performance, Risk, and Compliance. Can you go through this a little more for us?
Owe: Soon after I joined Corporater, I wrote a blog and I gave it the title, ‘Emphasizing the P in GRC’, trying to align performance and GRC for a way forward to talking about this relationship. We have been using the acronym GPRC ever since, and it has been adopted by many companies since then. It makes perfect sense with your definition of GRC, and the principled performance. I’ve heard that you considered using the ‘P’ in the acronym when you helped establish GRC, is that right?
Michael: Yes, and that was all part of what you’ve already referenced, principled performance, which is one of the terms from OCEG. But, as much I feel that the definition of GRC and the acronym of GRC holds water, and is good, I think adding the ‘P’ to it right now sort of right sizes this. Too often for companies like financial services firms as well as other industries, it’s really ‘CRG’ and not ‘GRC’. I think adding that ‘P’ further emphasizes the performance aspect of it, and unpacks that governance piece further to get people thinking in the right perspective instead of backwards thinking.
Owe: Yes, there is a fine line between poor governance and risk. Poor governance means poor craftsmanship in running the business, and we often see that there is a mix between risk and poor governance. Both impact the performance if not done right, and then they meet at the intersection of governance, performance, and risk. A lack of performance could be caused by bad craftsmanship, bad governance, or a materialized risk. Both can have performance consequences.
Click here to watch the replay of this episode.
What is GRC (Governance, Risk, and Compliance)?