From managing regulatory overload to putting the R into GRC solutions (Governance, Risk Management and Compliance), regtech strategies were a hot topic for delegates at a recent conference on operational risk.
If, like me, you wonder why ‘regtech’ purports to present new solutions that have seemingly been around for some time, then I’m glad I’m not the only one.
But if a buzzword like this highlights to more people what’s now possible, then that has to be a good thing.
We just need to ensure we don’t lose sight of the fact that even though the newest wave of technologies under the regtech banner do things the previous generation couldn’t, they will present little upside if we don’t learn from the experiences of deploying older technologies to support operational risk practices.
Using regtech to enable risk functions
Whether you call it regtech or not, the recent New Generation Operational Risk event in London not only provided an invaluable opportunity to showcase the ways that technology can be used to enable operational risk functions but also to share experiences on how we might get the best from them.
In my presentation to the conference, I highlighted how financial institutions must ensure a joined up approach to their technology strategy so that it extends across the whole enterprise.
Only by doing this will boards of directors be provided with a singular view of risk and the business better equipped to make more informed decisions based on clearer information.
At the event, I detailed five key points that are central to any risk technology strategy:
- Choose who you partner with internally to create your plan. Some neighbouring risk functions make poor bedfellows if you have differing ways of measuring or reporting on risk.
- Understand how the broader technology environment impacts your plan. It’s better to know ahead of time if, for example, a neighboring function is about to invest in technology you could leverage or, at an enterprise level, there are new data visualization and reporting solutions that you can and should integrate with.
- Recognize the internal and external forces that impact your strategic direction. Regulators are pushing business leaders to take greater personal accountability for compliance matters. Is their voice being heard when determining the requirements for a new technology?
- Identify what is needed for a sustainable target operating model, and plan accordingly. When the system goes live, and the deployment team pack up, what will business-as-usual administration look like? Without the right sponsorship and business backing from the beginning a new solution is unlikely to survive for long.
- Future proof your plan so that it makes best use of available and emerging technologies. Are your strategies based on an outdated view of what technologies are available today?
When applying this plan, it will work differently at larger, more established banks versus a start-up.
The former will typically have several Risk, Compliance and Audit functions with established ways of working and legacy solutions you can’t easily remove. The right technology strategy will likely need to integrate what’s already there, rather than wholesale replace.
In a start-up, however, there will more often be a blank canvas and an opportunity and desire to build process that optimises the use of latest technologies.
As event sponsors, the conference provided an opportunity to showcase our new-to-market Thomson Reuters Connected Risk platform, as well as hear from industry leaders and peers on what their priorities for operational risk are this year.
Some of the questions following our presentation are included below.
Q. Should the CEO lead the process?
A. We’d typically see sponsorship for a more integrated solution come within the remit of the Chief Risk Officer.
Q. A lot of GRC solutions end up with G & C but no R. What’s your experience?
A. The previous generation of solutions had many risk capabilities but the fact that this question has been asked, suggests they missed the spot.
These solutions provided the basis for supporting repeatable processes, for example risk assessment, incident management, Key Risk Indicators etc.
But there were limitations with respect to performance and complex reporting and aggregation. Newer solutions go some way to addressing these shortcomings.
Q. Realistically aggregating individual operational risks is subjective. Any views on good approaches?
A. Rather than fully automate aggregation tasks, best practice is to use technology to do the basics e.g. aggregate by individual thematic or business division.
Cross-aggregation between these areas requires human intervention but newest technologies will assist in this task by i) being more adept at drawing together and translating data to a common standard and ii) providing analytics tools to assist in looking for unusual patterns.
Q. What are your views on having key regulation included within GRC tools? What are the challenges in making this a success?
A. Technology that informs you of regulatory change isn’t new. Neither is technology that maps regulation to processes and compliance programmes. But what we now have for the first time is the ability to link these two exercises.
The obvious challenges are:
- Knowing what sources you can trust for complete update information.
- Having a solution that is nimble enough to map and refine the linkages between regulation and internally impacted process.
Unsurprisingly, much of our solution development has focused on this need, culminating in the recent launch of Thomson Reuters Regulatory Change Management, part of our Connected Risk offering.
Q. How do you ensure middle management focus?
A. Technology facilitates a disciplined approach but does not in itself drive discipline. For example, technology provides a clear audit trail of self-assessment scores, allows comparison between self-assessment and independent compliance checks and therefore can call out where self-assessment wasn’t being taken seriously.
But it is for management to then take this information and take appropriate action if it highlights poor discipline.
Follow us on @RiskManagement
You may have your own perspectives you’d wish to add to the debate, whether or not you were at this event. Do feel free to drop me a line with any thoughts, experiences or observations.