An Agile Approach to Enterprise Risk Management and Compliance

An Agile Approach to Enterprise Risk Management and Compliance

By Luke Thomas, Regional Vice President – APAC at Appian

Compliance presents a strategic challenge for financial institutions in Australia and beyond. Following the financial crisis of 2008, regulatory fines, fees and the scope of regulatory focus have increased and expanded to such an extent that bankers today perceive compliance risk as one of their primary ongoing concerns.

On top of this, events such as COVID-19 have demonstrated that disruptive change can happen very quickly and if your enterprise risk management (ERM) systems and processes are unable to adapt and evolve at pace, the impact can be severe. That’s why financial services organisations need to be able to recalibrate how they manage risk with ease and speed. On this, McKinsey observed “Tighter compliance regulations have challenged financial institutions in a variety of ways. Yet those who adapt best may enjoy a distinct competitive advantage.”

However, for many banks, there’s the ongoing barrier to compliance of data residing in silos and legacy systems, due to the traditional banking structure along product lines or being built from mergers and acquisitions. So, how can financial institutions position themselves to be proactive and agile in dealing with compliance today?

Greater Scrutiny Requires Greater Visibility

Financial institutions are already well-versed in the basics of ERM: identifying risks, determining controls for mitigation, documenting approvals, and periodically reviewing and revising risk-related policies. However, the current economic outlook and simultaneous shifts to new ways of working (especially remote work) is pushing auditors and regulators to greater levels of scrutiny, particularly in the areas of credit risk, liquidity management (including stress testing), and security against data breaches. Withstanding shocks and emerging stronger in the post-COVID-19 era will require a sharper focus on high-risk areas and regulatory audits.

Commercial off-the-shelf (COTS) solutions have become a necessary part of the ERM ecosystem for specific functions or operations. But at the enterprise level, they are too rigid both in terms of their processes and the way they use data. Many are weak in the “enterprise” part of ERM because they lack adequate workflow capabilities, risk and control owners find them difficult to use or they lack the ability to adapt when an organisation makes a change like reorganising or implementing new strategies. Financial institutions may fill in the gaps with spreadsheets and emails, but these manual processes are a risk in their own right and are prone to errors, are inefficient and do not scale well.  This can be problematic when it is time for an audit or regulatory exam.

Internal Audit — Innovating at the Speed of Risk

During COVID-19, internal audit executives at financial institutions have been overwhelmed by an influx of challenges, all demanding rapid response in an ever-evolving climate. Meanwhile, internal audits remain a priority, with regulators indicating that they expect the three lines of defence – internal controls, risk management and compliance, and internal audit – to continue operating throughout any pandemic interruptions.

Internal audits are complex undertakings of people, processes, and data. Audits often inherently involve a significant level of manual processes, resulting in long cycle times and other inefficiencies. To classify risks and track issues to resolution, audit teams often need to review thousands of transactions. They are frequently challenged to achieve visibility across audit phases and into specific details and insights, efficiently coordinate key steps, and swiftly escalate and resolve issues.

Additionally, while the general approach to internal audit is broadly defined, each organisation has specific nuances and requirements depending on its structure, processes, systems, and more. Complicating matters even further, financial institutions are sometimes constrained by inflexible COTS solutions that do not fully support their needs and are difficult to modify when business processes or requirements change.

Horizon Scanning

In a heavily regulated industry like financial services, organisations need the ability to evaluate future regulations and laws before they come into effect.

Horizon scanning is a critical application for regulatory compliance teams. It transforms a financial institution’s ability to detect early signs of new laws and regulations that may impact the organisation. It allows them to manage change and assess future operational or reputational risk, with the visibility needed to demonstrate process control. This is an important component of the second line of defence: the processes, procedures and applications involved in managing, controlling, and mitigating risk.

However, many financial institutions are challenged by how to quickly and cost-effectively ingest, triage, review and analyse updates from local and global regulators with the visibility needed to rapidly respond and ensure oversight and auditability.

An Agile Approach

An enterprise low-code automation platform can address these challenges and more. With enterprise low-code, risk management teams can easily identify, categorise, and prioritise risks; identify system and procedural controls; document approvals; and periodically review and revise their institution’s risk-based policies. Teams can also map incidents to risks and controls as the incidents occur, ensuring currency and completeness.

Financial institutions also gain the visibility necessary to scope a project, monitor the status of work papers and tasks, quickly remediate gaps in control, and future-proof their internal audit functions. Throughout, teams are able to remove complexity from processes so that business owners and IT can collaborate efficiently and easily.

An enterprise low-code internal audit application gives organisations the flexibility they need to quickly make modifications, add functionality for changing business and regulatory requirements, and fully customise the application to meet the organisation’s unique needs and specific requirements. It’s designed to unify all systems, channels and customer information and bring together people, processes, and data via full stack automation: robotic process automation (RPA), artificial intelligence (AI), workflow, decision rules, case management, and more.

Enterprise low-code also allows dynamic reporting of audit activities, findings, follow-up actions, and KPIs, such as audits and action plans completed, resources allocated, productivity, stakeholder satisfaction, cost savings, and revenue opportunities.

Horizon scanning is also improved by tracking and monitoring regulatory changes through automation and improved coordination. An enterprise low-code platform captures data manually, using RPA, natural language processing (NLP), and through integration with government and regulatory websites and third-party data providers. This delivers increased visibility into emerging domestic and global regulations, laws and rules, so organisations can prepare at the highest level and implement any necessary changes across all lines of business.

Particularly in today’s constantly changing environment, financial institutions need an agile solution that gives them a clear real-time, rather than retrospective, actionable review of risk policies and frameworks across the organisation. Once in place, they can factor the impact of current events into ongoing stress testing and capital management. This kind of agile approach can reduce the timeframes of regulatory audits by 20 percent (10% on less standard audits), according to PwC.

Finding a Competitive Advantage

At the end of the day, regulations are aimed at retaining stability, safety and trust in financial services. What if banks could simplify their responses and alleviate non-compliance penalties, and instead channel these funds elsewhere, such as improving the management of business processes or the customer experience?

To reduce the risk of non-compliance, financial institutions are investing in integrated technology platforms that help them address ERM efficiently and effectively. An enterprise digital platform overlay approach can help banks achieve an actionable one risk view for holistic compliance.

This helps financial institutions to transform all of their compliance processes and consequently stay a step ahead of upcoming requirements. By taking this kind of proactive approach, and incorporating compliance requirements into business processes, banks can improve operational agility and customer focus, as well as more effectively manage risk.

For more information please visit: