This is Part I of a two-part blog series. To read Part II, click here.
I just read an article that states researchers now have concluded that the mid-life crisis actually exists – and it peaks – or reaches rock bottom, at the age of 47.2. According to this research, my mid-life crisis will fall on Monday, May 25th, this year. However, there’s not a single indication in my life that this scenario will impact me, besides some grey hair, teenage kids, and a dog.
A few weeks back (mid-March 2020), I was speaking at the AML & ABC Forum in London hosted by Informa. Attending the different sessions listening to the other speakers and panel discussions, it struck me that everybody is seeking a “holistic” software platform that could provide a “one view” for all their risk and compliance data. They discussed the vision of how to “jointly” collaborate on operational risks, compliance risks, controls, investigations, and reporting. On the question from one of the panel moderators, “How many of you have a software in place that allows you to have one view for all your risk and compliance information and will let you collaborate across the AML and ABC compliance domain?” Nobody raised their hand.
“How many of you have a software in place that allows you to have one view for all your risk and compliance information and will let you collaborate across the AML and ABC compliance domain?”
My presentation abstract: Utilizing digital tools for effective AML governance
While paying attention to AML penalties over the recent years in a global context, we’ve seen a pattern for a high number of penalties given due to the lack of satisfactory AML program governance. Given today’s rapid changes in geopolitical risks, regulations, and sanctions, the need to take an increasingly integrated and coherent approach to global risk and compliance governance is paramount.
This means that the components of a financial institution’s AML program, sanctions, and ABC compliance must be integrated and collaborative to proactively identify and mitigate risk. It also means that institutions must take a global view, understanding how different components of their organization(s) interact with each other.
Culture eats strategy for breakfast
I have been a technology professional and devotee for 20+ years. Keeping in mind the mid-life crisis mentioned above, “20+” is a professional way of saying, “I’m getting old.” GRC is also getting old. It was introduced in 2002 by OCEG.org – and “Digital” is getting old; Did you know that the first version of Microsoft Word was released in 1983 – 37 years ago?
“Eventually, the digital culture will aid in driving the inherent corporate culture in the right direction.”
It is a well-known saying that culture eats strategy for breakfast. It illustrates how hard it is to introduce new methods in a set environment. The poor people working within the GRC domain face this challenge every single day, driven by continuous regulatory updates. How can we change the culture to achieve our business objectives within the GRC space? A significant stake in GRC is “the tone at the top” that sets the foundation for cultural change. We are trying to improve the risk culture, culture of behavior, accountability, conduct to comply with regulations such as Basel, Solvency, IAC, AML, ABC, and more. I will jump the conclusion for now and break to you my suggestion, which is to improve the organizational digital culture. Eventually, the digital culture will aid in driving the inherent corporate culture in the right direction.
Man vs. Machine
Through 20+ years, I have observed hesitance among GRC professionals to embrace technology. GRC professionals are risk-averse by nature, which also makes them brilliant at what they do. The typical question is, “Is your software approved by lawyers?”. I wonder; do lawyers approve Microsoft Word? If the software makes decisions for you, then that’s a relevant question. And, yes, we have seen ugly examples of GRC professionals and lawyers being burned in the past by bad software. Can we expect GRC professionals to embrace technology in their risk-based work? How can technology companies expect GRC professionals to be experts on both GRC and “Digital.” Digital infancy is probably us “technical people’s” fault – we have not been able to speak the language of GRC professionals, lawyers, and other disciplines for that sake. There are thousands of software components for GRC available, the jungle of LegalTech and RegTech is hard to navigate. Not to mention all the focus on Artificial Intelligence and Machine Learning – digital evolution can be scary. To illustrate my point, let us simplify how we’re looking at digital maturity by splitting it into three main phases; Digitization, Digitalization, and Digital Transformation(i).
Let us start with a success story. Core banking has gone through a transformation the recent decades – a digital transformation. What banks did with their core banking is an excellent example of how organizations/industries can utilize “Digital” to transform their business models and provide customers with an improved experience and added value.
First, the phase of “Digitization” (level 1 and 2) means to make something digital. In essence, in this stage, we focus on the data, unstructured (e.g., like Word and PowerPoint) and structured (e.g., like databases, structured file/exchange formats (e.g., XML, JSON) and Excel, if used correctly). In this stage, it is of the essence to apply proper data governance for the data that should be structured. Next, by “Digitalization,” we build on the digitized data and focus on processes and automation. Ultimately, we have the fundament to achieve “Digital Transformation,” where we focus on improving/changing the business model and improving the experience for our customers.
“Many of the challenges we observe – not only in the GRC domain but in general, can be traced to the fact that organizations are still basing their business-critical decisions on unstructured and even ungoverned data.”
This is, of course, a very simplified explanation; however, it serves its purpose to illustrate how digital can help us improve our governance, risk, and compliance challenges. It is, all in essence, about building and maintaining an enabling GRC information and technology architecture in your organization.
Digital infancy is more common than we think. Based on this model, if you, e.g., are doing your risk assessments and treatment in word or PowerPoint, you are on maturity 1. If you are using Excel, you have started your journey towards maturity level 2 and, depending on your organization, have probably experienced the limitations of using these tools in the GRC context.=
Many of the challenges we observe – not only in the GRC domain but in general, can be traced to the fact that organizations are still basing their business-critical decisions on unstructured and even ungoverned data.
The benefits of structured data vs. unstructured data
Structured data is highly-organized and formatted in a way so it’s easily searchable in, e.g., relational databases. Unstructured data has no pre-defined format or organization, making it much more difficult to collect, process, and analyze
Many organizations are trying to solve their unstructured data-related challenges through the use of AI. AI is an umbrella term involving technologies such as Machine Learning, Natural Language Processing, and more. These techniques can solve many challenges across both unstructured and structured data and are essential components of Cognitive GRC (or GRC 5.0)(ii). However, AI is not an alternative to Data Governance. So, where do we draw the line between humans and computers for decision-making?
To continue reading, go to Part II.