Skip to main content
Tag

grc

How an Integrated Risk Management (IRM) approach can transform your organization

By Blog

Today there are more risk drivers that span across more areas of business, making it harder to monitor, manage, and mitigate risk than ever before. Yet much of the financial services industry is continuing to approach risk in the same way it always has—through two distinct silos of compliance and risk. However, the onset of the COVID-19 pandemic has exposed the cracks in these traditional approaches, and raised the need for a more comprehensive approach called Integrated Risk Management (IRM).

“The response to the coronavirus pandemic is a perfect example of when the [three lines of defense] and traditional risk governance don’t work very well. Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks.” — Malcolm Murray, VP, Gartner Audit & Risk practice.

In this article, we cover:

An Overview of IRM and How It’s Different From Other Approaches

There are many factors that drive the overwhelming pace of change across financial firms’ risk profiles. These factors include:

  • The sweeping adoption of digital tools to meet consumer needs, which requires a reliance on external-facing third-party vendors.
  • The adoption of third-party vendors to manage behind-the-scenes complexities; often these new technologies and integrations must access consumer data collected by the firm, or they themselves collect more consumer data—a reality that leads to more subsequent risk.
  • Business expansion into other markets across the nation and around the globe, adding liability as both the number of consumers to protect and the number of regulators to adhere to multiply.
  • The reality of regulatory complexities, which is increasing on both a national and global scale.

How firms monitor, manage, and mitigate the risk associated with these factors depends on their risk and compliance philosophy. Here are two approaches that firms often take and how they compare to an IRM strategy.

Governance, Risk, and Compliance (GRC)

To understand IRM, it’s important to also understand how it came to be. In 2002, a series of financial scandals led to the passage of Sarbanes Oxley (SOX), a federal law that created a set of rules for accountants, auditors, and corporate officers, and imposed more stringent recordkeeping requirements on financial firms especially. As a result, the industry developed the discipline of “governance, risk, and compliance” (GRC) to keep up with and manage these SOX requirements.

Over time, the role of innovation began to play a more prominent role within the governance, risk, and compliance discipline to both align IT with business objectives, and effectively manage risk and meet compliance requirements. This ultimately led to the creation of GRC-focused technology designed to help companies achieve these goals.

As time has passed, the GRC acronym has become synonymous with the GRC technology itself, which has led to the framework of the GRC discipline being conflated with the technology that powers it. But the framework that connects governance, risk, and compliance is an essential part of monitoring, managing, and mitigating risk effectively.

A conventional GRC framework is typically carried out by the three lines of defense, which are each responsible for a different aspect of overall risk management:

  • 1st line of defense: Line management should act as the first line of defense, identifying risks and implementing controls.
  • 2nd line of defense: Risk and assurance functions such as legal, compliance and enterprise risk management (ERM) should act as a second line, overseeing and monitoring risk management processes.
  • 3rd line of defense: Internal audit should act as a third line, taking a birds’ eye view of the effectiveness of controls and risk management.

(Source: Gartner)

While the three lines of defense model is important, it can also make reacting to new risks difficult because it is more meticulous and is often disjointed from the rest of the organization, including at the executive and board level.

Enterprise Risk Management (ERM)

As SOX compliance auditing and the GRC framework were taking shape, the role of enterprise risk was evolving as well. Risk mitigation was historically covered by purchasing insurance—such as property insurance, liability insurance, and malpractice insurance—to deal with literal events like natural disasters and theft, as well as lawsuits and claims relating to damage, loss, or injury. However, as more drivers of risk began to surface for firms, risk professionals expanded their purview to include risks associated with technology (particularly technological failures), company supply chains, and business expansion.

In response to this expanded risk profile, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) created the concept of Enterprise Risk Management (ERM) to spot risks and map them throughout a traditional company structure. ERM typically involves the highest levels within an organization, including executive and board-level decision makers, as it is intended to connect all of the departments across the organization.

While ERM is meant to help organizations proactively manage and mitigate company-wide risks, it does not oversee the management and implementation of the measures necessary to prevent and mitigate risk, especially in relation to regulatory compliance.

Integrated Risk Management (IRM)

In 2016, Gartner revisited the concepts of GRC and ERM and determined that each, while critical, didn’t fully connect all of the dots from a risk and compliance perspective. So, Gartner created a renewed framework that addressed both the high-level strategy of managing risk, as well as the hands-on work of making these strategies possible. And so Integrated Risk Management was born.

The numbers speak for themselves:

  • 57 percent of senior-level executives rank “risk and compliance” as one of the top two risk categories they felt least prepared to address.
  • 87 percent of organizations see tech risk management as a siloed, reactive process rather than an organization-wide function for proactive risk management.
  • Only 4 percent of organizations feel that their third-party risk management tools fully integrate and capture overall risk for reporting purposes.

IRM helps organizations address all of these concerns. It is an umbrella approach that bridges ERM and GRC—both relying on ERM strategy to identify risk drivers, and the framework of GRC to implement the actual work of compliance. Through this connection, IRM creates a comprehensive view that:

  • Exposes any risk management gaps that exist due to silos
  • Proactively monitors, tracks, and implements compliance measures across all of the areas identified by the company’s executive-led ERM strategy

In turn, this enables companies to be more agile in their response to unforeseen circumstances, as IRM is both a top-down and bottom-up approach that includes executive and board-level leadership and the teams that do the actual work.

“Rather than putting compliance first, integrated risk management enables an organization to manage its unique set of risks that face its organization specifically and in turn meet compliance requirements as a part of that mission.” CyberSaint Security

The Six Practice Areas of IRM

Gartner defines IRM through six practice areas:

six practice areas of integrated risk management

1.  Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership

2. Assessment: Identification, evaluation and prioritization of risks

3. Response: Identification and implementation of mechanisms to mitigate risk

4. Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response

5. Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls

6. Technology: Design and implementation of an IRM solution (IRMS) architecture

Ultimately, IRM oversees, prepares for, and mitigates all of the aspects that make up a company’s dynamic risk profile, such as physical, technological, data-oriented, and regulatory risk. According to LogicGate, an agile GRC cloud solution and Ascent integration partner:

“Integrated Risk Management gives business leaders a clear picture of all their risks. With their newfound understanding of the enterprise’s dynamic risk profile, they can make better decisions at the enterprise level about which risks to mitigate and which to accept or transfer. By integrating risk areas and recognizing interdependencies, executives can ask more strategic questions about how risk is one part of the business impacts other parts of the business.”

LEARN MORE: Ascent GRC Integrations

 

The First Steps in Implementing an IRM Strategy

The first steps in building an IRM strategy focuses on two of the six practice areas (Strategy & Assess):

1. Outline your company goals and strategy

2. Determine which stakeholders ladder up to those areas of business

3. Identify the key risk drivers from those areas of business, including those associated with regulatory compliance

To identify the risks associated with regulatory compliance, it’s important to start from the beginning. At Ascent, we use the most granular regulatory data in the industry to help risk and compliance teams pinpoint and map their regulatory requirements / obligations throughout their organizations. This is especially important when trying to set a regulatory compliance framework for the first time or address any gaps within a firm’s existing regulatory compliance framework.

Our AI-driven technology called RegulationAI takes this process one step further, by keeping firms’ obligations updated so they never miss a regulatory change that could expose them to additional risk. These dynamic granular obligations are even more powerful when they’re seamlessly tied into GRC platforms, such as LogicGate and IBM OpenPages—a capability that Ascent has built through its API integrations.

To learn more about Ascent’s API integrations, contact us directly.

Ascent and IBM Integrate AI RegTech Solutions to Help Financial Institutions Streamline their Compliance Operations

By Blog

“The potential of this technology for the Bank and the financial services industry more broadly is exciting. By digitising parts of the regulatory change process, and the automation of continuously refreshing data we can improve the application of regulation, efficiency for our business as well as provide greater transparency with regulators. It’s been rewarding to collaborate with our RegTech and technology partners on a project that will have such a large, positive impact for our industry.” —Jasper Poos, Head of Governance and Assurance, Commonwealth Bank of Australia

 

Chicago and Armonk, NY: July 15, 2020 Ascent, a provider of AI-based solutions that automate regulatory compliance processes, and IBM today announced a partnership to integrate their respective RegTech solutions in an effort to help banks and other financial institutions better manage their growing and ever-changing regulatory requirements.

Specifically, IBM is integrating Ascent’s regulatory knowledge platform with its IBM OpenPages with Watson solution. Clients will be able to feed their regulatory obligations and rule changes  – which are automatically generated and updated by Ascent – into IBM OpenPages with Watson in order to better manage downstream compliance activities.

The integrated solution is designed to help regulated businesses keep better pace with today’s rapidly changing regulatory environment and help lower risk for potential fines and other supervisory actions. In addition, customers can benefit from the combined dynamic workflow capabilities and near real-time market intelligence by reducing the manual effort and time spent in transferring regulatory information between teams and disparate systems. 

The IBM and Ascent partnership was the direct result of Ascent’s successful proof of concept engagement with the Commonwealth Bank of Australia (CBA), earlier this year, wherein IBM was also a key technology partner. The companies combined the Ascent platform with OpenPages with Watson which leveraged natural language processing and AI algorithms to identify and analyze more than 1.5 million paragraphs of regulatory text from the country’s Markets in Financial Instruments Directive II. The solution allowed CBA to quickly identify terms in the regulation that they needed to review and act upon – a process that would have taken days of manual scanning.

“The potential of this technology for the Bank and the financial services industry more broadly is exciting,” said Jasper Poos, Head of Governance and Assurance at Commonwealth Bank of Australia. “By digitising parts of the regulatory change process, and the automation of continuously refreshing data we can improve the application of regulation, efficiency for our business as well as provide greater transparency with regulators. It’s been rewarding to collaborate with our RegTech and technology partners on a project that will have such a large, positive impact for our industry.” 

“AI for business is only as good as the ecosystem around it. And our collaboration with Ascent on the CBA solution is a great example of bringing innovative technologies together with purpose to help solve a growing challenge,” said David Marmer, Vice President, Offering Management, IBM RegTech. “Regulation can be complex, time consuming and costly. But with the application of AI and dynamically updated rules changes, companies are positioned to begin to operate and advance within those parameters quickly and easily.”

“We are pleased to launch this joint initiative with one of the world’s leading technology companies,” said Brian Clark, Ascent Founder & CEO. “Ascent is designed to work with OpenPages and other enterprise systems in a powerful and complementary way. Ascent’s ability to map obligations and regulatory changes targeted to the customer is a powerful workflow trigger for GRCs. We are excited about the implications it will have for our clients in financial services and look forward to helping them dramatically reduce regulatory risks and costs going forward.”

Ascent has been rapidly gaining momentum since its founding in 2015. Since its inception, Ascent has grown 100% YOY, secured $26.7M in funding, and expanded to 50 full-time employees. 

###

About Ascent

Ascent was founded in 2015 to help financial services firms automate the most tedious and error-prone aspects of compliance. With customers from Tier 1 and Tier 2 banks and other financial firms around the world, Ascent provides Knowledge-as-a-Service (KaaS) as a groundbreaking new way to navigate the increasingly complex world of regulations quickly, efficiently, and most important of all, reliably. Learn more at www.ascentregtech.com.  

About IBM OpenPages with Watson

For more information about the latest release of IBM OpenPages with Watson, version 8.2, check out the IBM webinar on June 23.

View this announcement on the IBM News Room.

Media Contact:

Patrick Phalon
MacMillan Communications
(917) 689-3438
patrick@macmillancom.com

Michael Zimmerman
IBM Media Relations
mrzimmerman@us.ibm.com