Jaya Vaidhyanathan, CEO of BCT Digital, is a science and engineering professional with a deep passion for making India a superpower in this realm. She started her career as an investment banker in New York, after obtaining her engineering degree, management degree from Cornell University and earned a CFA charter. She specialized in mergers and acquisitions across technology, telecom, and utilities vertical with several top Wall Street firms. In a conversation with CXO Outlook, Jaya talks about the Global Governance, Risk and Compliance (GRC) landscape, benefit from adopting benchmarked GRC practices, and much more.
What is the nature of risks faced by organizations and financial institutions with regards to aspects like Governance, compliance, and overall operations?
The Global Governance, Risk and Compliance (GRC) landscape is rapidly changing. Newer and diverse risks that have recently been emerging under uncertain market conditions, call for a close re-examination of GRC as a function itself, as listed below:
Financial risks: Post the global financial crisis, financial risk emerged as one of the foremost priorities, especially for financial services.
Operational risks: This includes enterprise-wide risks caused by ever-increasing procedural complexities.
IT risks: Emerging threats in the technology landscape have made IT risk management critical for companies, as concepts like remote working have increased IT system presence greatly across sectors.
Cyber security risk: Similar to IT risk, this is also gaining prominence due to distributed working and service delivery in recent times – something noted by the Reserve Bank of India in its Jan’21 Financial Stability Report.
Conduct risk: A newer and widely discussed risk category, conduct risk relates to the behaviour of individuals associated with an organization.
Data Privacy: This is an interplay between two forces – increasing awareness among regulators about the importance of data privacy, with GDPR-like regulations emerging across regions, and distributed working which brings privacy issues within and outside the organisation.
Business Continuity: Shorter business cycles and disruptions of multiple kinds – natural and man-made make business continuity risk a key monitoring parameter.
How can companies best meet the corporate governance, regulatory, and compliance challenges of today – and why has it become more necessary than ever before?
Beginning with the 2008 Financial Crisis to the post-Covid economy, the size and shape of risk management have significantly evolved. Of course, GRC is not a novel concept; a lot of companies have legacy systems intended to help them align to the existing risk landscape. But in a more dynamic and volatile landscape, organizations need to explore agile ways of managing risks and ensuring compliance. Importantly, GRC has taken center stage, as opposed to the audit function it was seen as, a few years ago. Indeed, regulators are now insisting on GRC disclosures, and issues such as ESG are being watched closely by capital markets, with institutional investors incorporating ESG among investment criteria. Fortunately, the increased GRC requirements can be met through solutions built on extensible architectures using new-age technology, as outlined later.
How can technology innovations accelerate the roadmap to GRC?
Today, we have technology that allows data to be centralized and monetized the way we want to, but this also brings unprecedented changes to the risk landscape. In fact, the fallout of some of the leading banks of our times can be traced to the lack of a well-defined GRC framework. With conventional GRC practices, organizations stood the risk of running siloed initiatives that failed to align with their end-objectives and were extremely short-sighted. Organizations today are waking up to the fact that GRC cannot be restricted to IT/advisory siloes and that it needs to be comprehensive.
In this regard, technology is already proving to be a strong enabler – connecting the three lines of defense within businesses, in turn translating to higher flexibility in scaling up compliance. With the regulatory landscape fast-changing, the inability to address new risks can lead to higher, more frequent penalties for organizations, affecting their reputation and long-term growth prospects.
What industries best stand to benefit from adopting benchmarked GRC practices?
While any industry stands to benefit from adopting benchmarked GRC practices, banks and financial institutions are definitely on top of the list. Next-generation financial institutions need an all-encompassing, cohesive GRC framework to ensure they maintain a profitable, customer-centric, and sustainable stance in the marketplace. This is becoming more important now, with Basel III norms on quantification of Enterprise Risk requiring organizations to maintain a repository of past loss data, for capital computation. FIs need to effectively bring this complex and multi-layered framework into their businesses to stay ahead of the curve.
In any organization, who are the stakeholders involved in typically building the GRC framework and driving it to success?
An integrated, bird’s-eye view of GRC will help organizations manage risks more efficiently, identify breakdowns in time, and improve cross-organizational communication. Identifying business-critical risks on time is imperative to reducing losses. As the risk exposure reduces, so too will the cost of non-compliance – a fundamental aspiration of the GRC framework.
Particularly in the financial services industry, there is a need to integrate GRC, its varied elements, and causal agents throughout the organization. GRC is not a one-trick pony, nor is it a one-man show. It is a team effort involving these activities:
Tracking: Staying on top of the changing risk landscape and communicating them on time to relevant stakeholders
Ownership: Supervising and effecting risk management through designated risk champions, across business functions
Assessment: Continuous monitoring and assessment of risk mitigation to help minimize the impact
Automation: Automating critical activities to improve process efficiency and overcome workflow-related roadblocks
What would be the key trends in risk management and tech transformation for the banking industry in the new normal?
Ever since 2008, the global GRC landscape has been on a more dynamic footing. The way we look at trading and banking books has evolved, and more regulations are taking shape. With increasing digitization, cyber security, as we knew it, is also changing. All of this is underscored by marked upgrades in technology:
Microservices architecture: Enables GRC frameworks to become more modular and fluid, making it easy to integrate business-critical applications and regulatory requirements that govern them.
Comprehensive risk library: Aligning an organization’s GRC framework to a repository of known and emerging risks, reusable assets, and controls further improves its responsiveness and the ability to comply with evolving global and local standards.
Workflow systems: Having a well-defined, dynamic, and automated workflow structure is critical in enabling the GRC framework to integrate components across organizational levels.
Cloud and AI: A cloud-based architecture helps contain operational costs while improving predictability through AI/ML. It also limits silos, enables data visualization and advanced reporting.
Higher security: Effective cyber security controls will help organizations maintain higher levels of data security and protect the privacy of sensitive customer information.
In summary, we see a push towards enterprise-level GRC platforms that can give a 360o view of risk across departments and levels, as opposed to individual pockets managed by disparate solutions. This, in turn, requires enablers in the underlying technical architecture to achieve the desired scalability and flexibility.