Generali Group’s Governance in 8 Masterclasses

Masterclass 1: Building and Learning an Effective Governance, Risk, and Compliance

Preamble

Generali Group is an insurance company that just like other financial services organisations is subject to a large body of legislation and regulation. Given that past scandals associated with noncompliance and excessive risk taking have resulted in an exponential growth of regulatory policies and intensive scrutiny of companies’ operations, the organisation is seriously in need of skilled governance, risk management, and compliance (GRC) staff (ICA 2015).

In order to have a better control of risk areas and guarantee strict adherence to relevant laws, policies, contracts, and regulations, Generali Group has developed an internal control and risk management system (Weinstein & Wild 2013). The system also helps the company to ensure that its actuarial and financial functions are aligned with the company’s mission, vision, and objectives. This is being achieved through “a strong human development element” (ICA 2015, p. 1) of GRC.

The aim of this reflective journal is to highlight the main elements of building and leading an effective GRC strategy in the insurance company. The topic is especially relevant to me because by understanding characteristics of an effective GRC strategy it is possible to improve GRC capability of Generali Group, thereby optimising performance and sustainability of the organisation.

Background reading

Required reading:

• Darcy, K 2013, ‘The effective practitioner: ethics and compliance: birth of a profession’, Business Compliance, vol. 13, no. 1, pp. 36-45.
• Killingsworth, S 2013, ‘Ethics in the executive suite: the best, the brightest and a wicked problem – part II: the role of the board in c-suite compliance’, Business Compliance, vol. 12, no. 1, pp. 22-33.
• Smith-Meyer, A 2015, ‘A definition of ethics in business’, Compliance & Ethics Professionals, December 2015 issue, .
• Martin, R 2008, The opposable mind: how successful leaders win through integrative thinking, Harvard Business School Press, Harvard.
• Ibarra, H 2015. Act like a leader, think like a leader, Harvard Business School Press, Harvard.
• Additional reading:
• Chmielewski, C 2004, Values and culture in ethical decision making, Web.
• Driver, D 2016, Governance, risk management, financial regulation and compliance: an integrated approach, Wiley, Chichester.
• Kedia, S, Luo, S & Rajgopal, S 2016, ‘Culture of weak compliance and financial reporting risk’, The Journal of Law and Economics, vol. 48, no. 1, pp. 371-407.
• Schlegel, G & Trent, R 2016, Supply chain risk management: an emerging discipline, CRC Press, New York.
• Weinstein, S & Wild, C 2013, Legal risk management, governance and compliance: a guide to best practice from leading experts, Globe Law and Business, New York.
• Zimmerli, W, Richter, K & Holzinger, M 2007, Corporate ethics and corporate governance, Springer, New York.

Key principles and issues raised within the Masterclass

Human Element

The first learning point from the Masterclass is that even well intentioned GRC strategy cannot be effective without concentrating on the human dimension, which includes actions, personal traits, and skills of organisation’s employees. Therefore, in addition to installing proper controls, policies, and procedures, effective GRC activities have to make sure that workers commit to compliance culture on a personal level (Killingsworth 2013). It will help personnel to readjust quickly to unexpected changes in the regulatory environment in which a company operates. It is important to understand that without emphasising the human element, a company’s GRC program will not be able to meet its objectives.

According to ICA (2015), proper emphasis on the human element “is as much about effective cooperation and collaboration among staff working to meet common goals and objectives as it is in simply manifesting a character of integrity and honesty” (p. 2). Even though GRC practitioners appreciate the differences between intrinsic values of employees, they, nonetheless, have to understand that in order to avoid undesirable outcomes of employees’ decision-making processes, all personnel should be introduced to a single set of principles guiding a company. It will provide staff with a sense of a common goal and will help them to avoid extremes on an ethical continuum (Chmielewski 2004).

There are three rules outlined by Chmielewski (2004) that can be introduced by GRC practitioners to staff in order to guide their ethical decision-making process:

The Rule of Private Gain

The rule invites an individual to consider whether their decision will result in them gaining something at the expense of another person.

If Everyone Does It

Another question that has to be asked in advance of a decision is ‘who would be hurt?’ (Chmielewski 2004).

Benefits vs. Burden

The rule urges a decision maker to weigh benefits of a decision against its burden. If the burden outweighs the benefits, the behaviour under question is unethical.

GRC will work effectively only if all employees are introduced to a company’s core values and principles and know how to act on them within a context of organisational success and integrity (FSPCOMP5) (Darcy 2013). Furthermore, such a common framework will help to ensure that the contributions of employees at all organisational levels result in the establishment of a virtuous cycle (Zimmerli, Richter & Holzinger 2007)

Organisational Features

The second learning point from the Masterclass is that in order to guarantee an optimal performance of a GRC system, it is necessary to consider carefully the key features of an organisation. It has to do with the fact that organisational features can influence both the process of development of a GRC framework and its outcome to a great degree. It must be borne in mind that financial services organisations differ in their GRC capabilities; therefore, while some companies will benefit from a top-down approach, others have to adopt a decentralised approach.

Size and scale of operations in which an organisation is involved influence its ability to respond to risks and compliance incidents in an effective and timely manner (Kedia, Luo & Rajgopal 2016). The growth in the scale of company’s operations should coincide with the evolution of its GRC functions. It has to do with the fact that if a GRC system is simply magnified to accommodate a larger scale of business activities gaps of accountability might emerge. Furthermore, the differences in the rate of growth of business units might translate in the uneven distribution of control activities thereby reducing a company’s potential for managing its risks (Driver 2016).

Supplementary risks introduced at the nodes of a company’s supply chain should also be considered during the development of a GRC framework (ICT 2015; Schlegel & Trent 2016). Furthermore, if a company outsources some of its functions to third parties, it is vulnerable to acquiring additional risks. Therefore, the external contractual arrangements have to be reflected in an organisation’s GRC strategy.

Strategic goals of financial services organisations are another element of consideration that should not be missed by GRC professionals when they engage in the process of designing a GRC framework. Contradictions between a company’s objectives and the shape of GRC might result in the increase of reputational risk and underperformance (ICT 2015).

It is also necessary to avoid potential misalignments between GRC functions and codes, rules, and policies governing the industry in which a company operates. Given that the financial services industry is associated with massive changes in regulatory enforcement, GRC practitioners have to ensure that GRC resources are distributed in a prudential manner.

GRC Leaders

The third learning point that must be taken away from the Masterclass is that GRC leaders are qualitatively different from skilled GRC practitioners. Unlike, GRC practitioners, GRC leaders are always aware of the bigger picture (i.e. economic and financial climate in which a firm operates) (ICT 2015). Furthermore, a GRC leader is an individual who is capable of foreseeing changes in the essential matters of concern for a company and to act proactively and decisively to ensure that their company can mitigate and manage risks at all organisational levels (Martin 2008; Weinstein & Wild 2013).

Leadership scholars argue that values and beliefs of effective leaders are not contradictory in practice (Ibarra 2015; Zimmerli, Richter & Holzinger 2007). Therefore, GRC leaders should have a clear perspective on a company’s ethical framework and on how it aligns with its regulatory requirements. Another critical feature that separates leaders from GRC practitioners is an ability to make correct decisions on limited information by synthesising information gained from previous experiences and other sources.

Utilisation and recommendations for business activities:

In terms or practical application of the key learning points described above, Generali Group’s GRC practitioners have to analyse carefully the key features shaping the requirement for GRC capabilities of their company. Generali Group recognises the following elements as the minimum requirements for its internal control and risk management system:

• internal control environment,
• internal control activities,
• awareness,
• monitoring, and
• reporting (Generali Group 2016).

Taking into consideration the fact that there are many areas requiring control activities in the company, it will benefit from utilising a decentralised approach to the development of its GRC framework, in which risks are managed at the point of their origination (ICT 2015). In light of numerous elements influencing the development of a company’s GRC strategy, Generali Group has to consider how its characteristics are encapsulated in a GRC framework.

Another practical suggestion for Generali Group is to make sure its GRC strategy emphasises the human element, which includes actions, personal traits, and skills of organisation’s employees. In addition to developing policies for managing three core functions of GRC, the company’s GRC practitioners have to introduce all employees to a single set of values and principles through its code of ethics.

Generali Group has to provide its GRC professionals with resources and training necessary for them to become effective leaders capable of quickly adapting to changing demands of the regulatory environment and a company’s evolving size and scale.

Conclusion

After conducting a research on the Masterclass topic, I have understood that the process of developing a GRC framework requires a careful analysis of a company’s main functions and characteristics. Now I know that effective leaders who have a vision of the wider picture of GRC know that it is necessary to incorporate the human element in a GRC strategy.

Masterclass 2: Strategic Risk Management – Strategic Areas of Concern

Preamble

Generali Group is a financial services organisation that specialises in the provision of insurance services around the world; therefore, it is open to numerous global risks that can materialise in a wide variety of new and unexpected ways, thereby leading to severe legal and reputational ramifications for the company. The company has 420 subsidiaries in the United States, Europe, Middle East, Latin America, and Asia and employs more than 74, 000 people, which means that it requires full GRC functionality that can guarantee holistic risk management (Generali Group n.d.).

GRC practitioners of any large enterprise functioning within financial services setting have to recognise strategic risk as “a principal factor in the holistic management of risks” (ICT 2015, p. 1). By doing so, they would be able to develop and implement strategic risk management policies at the corporate level, which will help them to successfully mitigate the effects of exposure to uncertainties associated with management processes and objectives of their companies.

This reflective journal aims to explore the strategic risk management and highlight the importance of risk-focussed personnel for enhancing the competitive advantage of financial services organisations. The topic is of high relevance to me because by incorporating effective risk management practices into corporate strategies of Generali Group, it is possible to improve the company’s tolerance to a wide range of threats.

Background reading

Required reading:

• AON 2017, Global risk management survey report, Web.
• COSO 2016, Enterprise risk management: aligning risk with strategy and performance, Web.
• FRC 2014, Guidance on risk management, internal control and related financial and business reporting, Web.
• ISO 2009, Risk management—principles and guidelines, Web.
• Sowcik, M 2015, Leadership 2050: critical challenges, key contexts and emerging trends, Emerald Group, New York, NY.

Additional reading:

• Deloitte 2015, Third party governance & risk management: turning risk into opportunity, Web.
• GAD 2013, Strategic risk management, Web.
• Generali Group n.d., At a glance, Web.
• Grant Thornton 2016, Balancing risk with opportunity in challenging times, Web.
• Griffiths, S 2017, Professional postgraduate diploma in governance, risk and compliance: masterclass 2: strategic risk management, International Compliance Training Ltd, Birmingham.
• ICT 2015, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 3, International Compliance Training Ltd, Birmingham.
• Kroll 2016, 2016 Corporate risk survey: trends in cyber security, fraud, compliance and Big Data, Web.
• Mohammed, A & Sykes, R n.d., Sharpening strategic risk management, Web.
• PWC 2017, Risk in review: managing risk from the front line, Web.

Key principles and issues raised within the Masterclass:

Cross-contamination of risks

The first learning point from the Masterclass is that risks faced by companies providing financial services are often interrelated and can lead to cross-contamination resulting in severe consequences such as loss of reputation. GRC practitioners engaged in strategic risk management have to recognise the key areas of concern in order to prevent risks of multidisciplinary nature from crystallising.

An ever-changing landscape of modern risks includes the following elements: macroeconomic, cybersecurity, reputation and brand equity, regulatory and legal, new technologies, business interruption, market developments, natural catastrophes, and financial crime (AON 2017; Griffiths 2017; ISO 2009). In order to effectively deal with these risks and prevent them from cross-contamination, GRC leaders create unique risk management ecosystems within their companies. According to a recent survey, companies spend on average 12 percent of their revenues on GRC activities (Grant Thornton 2016). The allocation of GRC costs varies greatly among companies; however, on average financial services organisations spend 28 percent of their GRC budget on financial risks, 27 percent on compliance risks, 20 percent on operational risks, and only 13 percent on strategic risks (Grant Thornton 2016).

Strategic risks are referred to as “the uncertainties and untapped opportunities embedded in a company’s strategic intent and how well they are executed” (Mohammed & Sykes n.d., para. 2). Risk-focussed personnel understand that such risks can spill over to all areas of a company’s operations instead of influencing an isolated business unit. Unfortunately, risk management is often conducted separately from frontline assessments of strategic nature, which means that organisations cannot follow a resilience imperative. Effective GRC strategies should not only include risk assessment, management of risks, control processes, and communication systems but they also have to transfer risk decision-making procedures to the front line (PWC 2017). A recent study reveals that only 13 percent of companies lead risk decision making from their first lines (PWC 2017). It means that organisations that are not capable of “aligning ownership of key business risks with ownership of risk decision making” (PWC 2017, p. 5) are more open to adverse results of cross contamination of risks than their front line counterparts.

Third party governance and strategic risk management

The second learning point from the Masterclass is that third party governance is an important component of strategic risk management (FSPCOMP14). Outstanding GRC practitioners should know how to translate risks into business value. It can be argued that all risks have to be viewed as drivers of opportunity by 21-century leaders (Grant Thornton 2016; Sowcik 2015). Therefore, effective managers should opt for the holistic approach to risk, which will help them to devote maximum strategic attention to all business functions. This is especially true when it comes to gaining full visibility of risks associated with third party actions.

The process of prudential risk management presupposes the control of third party risks that can substantially damage the reputation of a company and compromise continuity of business. Therefore, financial services companies willing to implement superior control systems minimising their exposure to strategic risks should extend their regulatory efforts to third parties that include, but are not limited to, “providers of IT and supporting business processes, all contractors, marketing partners and agents, brokers, and franchisees” (Deloitte 2015, p. 6).

In order to avoid multi-million-dollar fines, GRC practitioners of financial services organisations should embrace new approaches to the safety of their enterprises. Third party governance is especially important in the world of technology-driven innovations that create new risk associated with cyber security and big data. The need to mitigate technological risks facing third parties is highlighted by a recent report that indicates that cyber security is considered the most substantial threat to modern corporations (Kroll 2016). The report also shows that almost 60 percent of companies do not have effective protection against data breaches (Kroll 2016).

Prudential Risks

The third learning point from the Masterclass is that GRC practitioners have to be able to identify and properly analyse prudential risks (ICT 2015). By doing so, risk-focussed personnel will secure the reputation of their companies, which is especially important in the context of the finance sector. The ramifications of the 2007 financial crisis have led to financial services organisations emphasising more on GRC activities (ICT 2015). The interest in prudential and conduct issues has reached its peak with the issuance of new policies and regulations by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) (ICT 2015).

No organisation can ignore with impunity macro-prudential risks. In order to resolve issues associated with prudential stability authorities apply macro-prudential regulatory tools that focus on the following elements of companies functioning on financial markets: capital adequacy, liquidity, asset quality, profitability, management performance, and sensitivity to systemic risks (ICT 2015). Macro-prudential policies exist in order to prevent intermediaries from externalising costs of their behaviour, which is a behaviour that might lead to severe consequences for a financial system. GRC specialists in organisations such as Generali Group have to understand how these tools and policies limit systemic threats. It will help them to reduce systemic risk contribution associated with the behaviour of their companies. Other factors that should be of particular interest to risk-focussed personnel include, but are not limited to, balance of payments, exchange rates, GDP growth rates, and regional and international economic landscapes (COSCO 2016; ICT 2015).

Micro-prudential risks are another area of concern for GRC practitioners of financial services organisations. Micro-prudential regulation is necessary to limit systemic risks pertaining to the stability of an individual company. Even though the foci of policies aimed at the management of micro-prudential risks is an organisation, they are often intertwined with broader macro-prudential regulations. These overlapping policies have to be understood by effective GRC leaders who want to increase the resilience of their companies.

Utilisation and recommendations for business activities

In terms or practical application of the key learning points described above, risk-focussed personnel of Generali Group have to be cognisant of an ever-changing landscape of modern risks in order to avoid their cross-contamination. GRC practitioners of the company should create a unique risk management ecosystem that will help the organisation to minimise the effect of threats associated with macroeconomic trends, cybersecurity, reputation and brand equity, regulatory and legal environment, new technologies, market developments, and financial crime among others (Griffiths 2017).

To create an effective risk management ecosystem, the company should adopt a strategic top-down approach. Such approach is only effective when it is aligned with a bottom-up process for operational risk management (GAD 2013; FRC 2014). Furthermore, GRC specialists of Generali Group have to clearly define the current level of the company’s risk tolerance and identify the consequences of bad outcomes. Risk tolerance analysis has to be regularly reviewed at board meetings (FSPCOMP6). The board of the company should evaluate the likelihood of bad outcomes in order to make informed decisions. Such approach to the decision-making process will allow greater focus on the most important areas of concern. All lessons learned from such reviews should be summarised in reports.

Conclusion

After conduction a thorough research on the Masterclass topic, I have realised that an effective strategic risk management can provide a company with a decisive edge. By reducing the harmful influence of strategic uncertainties, an organisation can ensure that its reputation is not damaged by actions of third parties as well as other unwarranted events. Now I know that strategic risk mitigation is the process that only includes risk assessment, management, control but also transfers risk decision-making procedures to a company’s front line, thereby fostering a high level of responsiveness.

Masterclass 3: Future of Payment Services

Preamble

An insurance company, Generali Group, just like other financial services organisations, requires a seamlessly functioning payment system that will reduce its transaction costs. Taking into consideration the fact that the company has many subsidiaries around the world, it has to ensure the safety of its payment arrangements. Furthermore, Generali Group relies on services provided by commercial banks and has central banks accounts; therefore, it is important that a payment system used by the company mitigates credit and liquidity risks (PCR 2015).

Payment systems are associated with numerous risks that include, but are not limited to, settlement risk, credit risk, operational risk, reputational risk, security risk, liquidity risk, and regulatory risk (ICT 2016). The role of GRC functions is to mitigate these and other risks and ensure sustainability of business; therefore, it is hard to overestimate the importance of GRC in the context of payment systems. In order to guarantee strict adherence to pertinent regulations, GRC practitioners have to understand both infrastructures of the current payment systems and future developments of payment services (Weinstein & Wild 2013).

The aim of this reflective journal is to explore the future of payment services and highlight the importance of payment regulations. The topic is especially relevant to me because by understanding the future developments of payment services it is possible to improve GRC capability of Generali Group, thereby mitigating the key areas of risk associated with monetary transactions.

Background reading

Required reading:

• Capgemini 2016, World Payment report 2016, Web.
• Capgemini 2017, World FinTech report 2017, Web.
• HM Treasury 2014, Digital currencies: call for information, Web.
• PSR 2015, A new regulatory framework for payment systems in the UK, Web.

Additional reading:

• Bartlett, J 2015, The dark net, Windmill Books, New York.
• Carton, F, Hedman, J, Dennehy, D, Damsgaard, J, Tan, K & McCarthy, J, B 2012, ‘Framework for mobile payments integration’, The Electronic Journal Information Systems Evaluation, vol. 15, no. 1, pp. 14-25.
• EBA 2014, EBA opinion on ‘virtual currencies,’ Web.
• Haycock, J & Richmond, S 2015, Bye bye bye banks?: how retail banks are being displaced, diminished and disintermediated by tech startups-and what they can do to survive, Wunderkammer, Melbourne.
• ICT 2016, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 4, International Compliance Training Ltd, Birmingham.
• Wang, Z & Wolman, A 2014, Payment choices and the future of currency: insights from two billion retail transactions, Web.
• Weinstein, S & Wild, C 2013, Legal risk management, governance and compliance: a guide to best practice from leading experts, Globe Law and Business, New York.

Key principles and issues raised within the Masterclass

Importance

The first learning point from the Masterclass is about the importance of the future of payment services. Well-designed GRC strategy must ensure that a company is perfectly capable of meeting all payment regulations. Three jurisdictions form a wider financial system of the world and play a key part in the development of the global marketplace; the US, the EU, and Hong Kong SAR (ICT 2016). The rapid pace of change in the ecosystem of payment services, which is triggered by the creation of high-speed data networks and portable computing devices, pushes the development of new jurisdictional approaches to payments and market infrastructures.

GRC practitioners of Generali Group have to understand the key areas of concern associated with the three jurisdictional approaches of the modern financial system. Furthermore, the rise of FinTech movement, which is associated with FinTax, created new regulatory challenges for GRC practitioners of financial services organisations. Three key jurisdictions—China, the US, and the UK—have different regulatory structures that serve their market needs; therefore, an outstanding GRC specialist has to understand the intricacies of these structures in order to provide their companies with proper regulatory guidance (Capgemini 2017).

It should be mentioned that acceptance of card payments is only the first step towards financial inclusion, which is necessary for succeeding in the market. There is a wide-range of alternative payment services that have been embraced by successful companies around the world. These services include, but are not limited to, PayPal, Apple Pay, Google Wallet, and Payoneer (Haycock & Richmond 2015).

Future Payment

The second learning point from the Masterclass is that non-cash transactions are a key part of future payment trends. Payments systems play a key role in the growth of modern economies; therefore, it is impossible to overestimate their importance in the market processes. However, methods of payment evolve over time, thereby leading to the creation of new systems capable of completely changing existing business models. It means that GRC practitioners of financial services organisations have to be cognisant of the driving forces on the payments market in order to guarantee compliance with laws and regulations associated with payment instruments used by their companies. Furthermore, they also should understand instruments, transaction types, banking procedures, payment domains, geographic scope, and other key dimensions of the circulation of money (Carton et al. 2012).

According to a recent report issued by Capgemini (2016), “global non-cash transaction volumes grew at 8.9% to reach 387.3 billion in 2014” (p. 6). Interestingly enough, emerging economies in Asia have shown the highest growth rate—more than 30 percent (Capgemini 2016). Latin America is the next-fastest grown region in the adoption of non-cash transactions—8.3 percent (Capgemini 2016). The report shows that the largest non-cash markets in the world include the U.S., Eurozone, Brazil, China, the U.K., South Korea, Japan, Canada, Russia, and Australia (Capgemini 2016). It means that payments industry will inevitably shift towards alternative solutions for payments processing.

A study conducted by Wang and Wolman (2014) reveals that the cash share of retail sales has been on the decline for many years. The researchers have studied consumer choices in different types of stores across the U.S. By analysing the data obtained from more than two billion transactions, they have reached the conclusion that “the cash share of transactions will decline at 2.54 percentage points per year, from its current level of 75 percent” (Wang & Wolman 2014, p. 38). Therefore, it can be argued that legacy payment processes will be virtually non-existent in payment systems of the future. It means that financial services organisations have to adopt new technologies and adjust their value propositions.

E-money and Virtual Currencies

Over the last decade, the payment industry has experienced several tectonic shifts associated with innovative technology (Haycock & Richmond 2015). These changes have led to the reduction of people’s and businesses’ reliance on slow and outdated payment methods that involve checks and cash. Technological advances have resulted in the creation of two alternatives to traditional currencies: virtual currencies and e-money.

The Financial Action Task Force (FATF) defines virtual currencies as “digital representations of value that can be digitally traded” (cited in Capgemini 2016, p. 21). Just like traditional currencies, virtual currencies function as a medium of exchange; however, they are not issued by any jurisdiction (EBA 2014; HM Treasury 2014). Therefore, it is necessary to distinguish them from fiat currencies that are customarily used by issuing countries.

Cryptocurrencies such as Linden dollars and Bitcoins are considered a form of virtual currencies (Bartlett 2015). Both cryptocurrencies and virtual currencies are associated with organised crime and allow carrying out illegal activities with complete anonymity. The misuse of the technology is a subject of concern for authorities because there is ample evidence suggesting that theorist organisations fund their operations through peer-to-peer sites by using the payment system. Furthermore, organised criminals use darknets and virtual currencies to sell drugs and child exploitation materials (Bartlett 2015).

E-money refers to a payment system allowing electronic storage of monetary value (Capgemini 2016). Economists recognise two types of digital money: identified e-money and digital cash (anonymous e-money) (Capgemini 2016). Identified e-money is associated with information that can be used to track the money movement as well as identify a person using it. Digital cash, on the other hand, acts like paper cash.

Both digital cash and e-money can be divided into two distinct groups: online and offline. Online category necessitates the involvement of a payment system as an intermediary in a transaction. Offline money imitates features of real cash and can be used independently of banks. Unlike virtual currencies, e-money closely resembles fiat money and allows easily identify account holders and other users of the payment system (Capgemini 2016). In order to protect e-money funds, numerous security standards have been developed: PCIDSS, OWASP, ISO 27001, and COBIT among others (Capgemini 2016). Nonetheless, the payment system is still vulnerable to cybercrime threats and other risks.

Utilisation and recommendations for business activities:

In order to utilise the learning points described in the paper, Generali Group’s GRC practitioners have to analyse the requirement as well as key features of payment systems used by the company. Taking into consideration the complicated regulatory landscape of FinTech, they have to be aware of risks associated with non-cash transactions (FSPCOMP1) (PSR 2015).

Generali Group relies on the e-money payment system. Therefore, GRC practitioners should develop effective management systems for dealing with the following vulnerabilities associated with a specific nature of e-money: regulatory risk, technology risk, credit risk, liquidity risk, foreign exchange risk, and liquidity risk. Furthermore, there is also a need for effective cooperation and collaboration policies aimed at the mitigation of a wide range of digital risks (FSPCOMP14) (Capgemini 2016).

Conclusion

Generali Group, just like other financial services organisations, requires a seamlessly functioning payment system that will reduce its transaction costs. Furthermore, the company’s GRC practitioners have to be cognisant of numerous risks and vulnerabilities of modern e-payment systems as well as complicated regulatory landscape associated with them. Given that Generali Group has many subsidiaries and branches around the world, it is necessary to ensure the safety of international payment arrangements by carefully studying regulatory frameworks of the key jurisdictions: China, the US, and the UK.

Now I know that non-cash transactions are a key part of future payment trends. I also realise that an effective GRC strategy should incorporate policies and procedures, with proper systems and controls, helping the company to achieve a seamless transition to alternative solutions for payments processing.

Masterclass 4: Current and Emerging Regulatory ‘Hot Topics’

Preamble

Generali Group is interested in minimising the regulatory risk that can substantially reduce the company’s value. Therefore, the insurance company’s governance, risk management, and compliance (GRC) practitioners have to understand fully all regulatory framework components in order to effectively conduct regulatory risk management (RRM) procedures. To this end, GRC support specialists take a holistic view of all regulatory developments in order to detect and fill compliance gaps. However, effective GRC practitioners recognise that such proactive approach to RRM is not always conducive to furthering operational efficiencies; therefore, they aim to ensure that a company’s vision, mission, and objectives are aligned with its GRC principles. Generali Group’s GRC support specialists know that one of the best methods for minimising the regulatory risk is to embed the right culture. The aim of this reflective journal is to explicate the process of the risk management through the development of cultural ethics in the insurance company. The topic is of high relevance to me because by understanding diverse elements of organisational integrity it is possible to ensure that the avoidance of different organisational behaviour, which can be achieved with the help of effective GRC practices, translates into excellent financial performance.

Background reading

Required reading:

• EBA 2014, Benchmarking of remuneration practices at union level and data on high earners, Web.
• Deloitte 2016, Forward look: top regulatory trends for 2016 in Banking, Web.

Additional reading:

• Adler, L 2012, Hire with your head: using performance-based hiring to build great teams, John Wiley & Sons, Hoboken.
• Centre for Economic Performance 2016, Brexit 2016: Policy analysis from the Centre for Economic Performance, Web.
• EY 2016, Rising to the challenge: a review of risk and viability disclosures in September 2015 annual reports, Web.
• Fox, T 2013, How to build a culture of ethics and compliance, Web.
• Kedia, S, Luo, S & Rajgopal, S 2016, ‘Culture of weak compliance and financial reporting risk’, The Journal of Law and Economics, vol. 48, no. 1, pp. 371-407.
• Smith, R 2014, How to hire someone aligned with the company’s mission, Web.
• Zimmerli, W, Richter, K & Holzinger, M 2007, Corporate ethics and corporate governance, Springer, New York.

Key principles and issues raised within the Masterclass

Too Big to Fail

The first learning point from the Masterclass is that even big companies, which have proper controls, policies, procedures, and sufficient resources to conduct their GRC activities, are open to certain regulatory risks that stem from unexpected changes in the regulatory environment.

Regulatory environments can be substantially transformed by:

• industry scandals,
• economic developments,
• political changes,
• Black Swan events,
• the media,
• globalisation, and
• technical breakthroughs.

The election of Donald Trump and Brexit are examples of Black Swan/ political events that are capable of reshaping the regulatory environment to a significant degree. Brexit alone can produce a substantial regulatory impact undermining the normal functioning of Generali Group, which has branches located in different countries.

According, to a recent report issued by Centre for Economic Performance, Brexit’s main promise is to introduce better and less regulation without significantly weakening social protection (2016). In terms of producing meaningful economic benefits for the UK, the report notes that there are “56 regulations derived from EU legislations where the UK government’s Impact Assessment finds that the costs outweigh the benefits” (Centre for Economic Performance 2016, p. 20). If these regulations are scrapped, the country can save up to 0.9 percent of its GDP (Centre for Economic Performance 2016). However, it should be mentioned that the net cost of Brexit exceeds savings introduced by deregulation by far. Centre for Economic Performance (2016) estimates that economic costs of losing EU membership can reach from 6.3 percent to 9.5 percent of the total GDP of the UK (FSPCOMP1).

Compliance Culture

The second learning point from the Masterclass is that compliance culture is one of the driving engines of a company’s success.

In light of numerous factors that can initiate regulatory change, Generali Group has to consider how it can embed cultural ethics and code of conduct in order to ensure that it is ready to face numerous changes in the regulatory landscape. The best way to ensure that the company has a flexible approach to complying with all regulations is to embed compliance culture into all of its processes and protocols (EY 2016). By doing so the company’s management will be able to easily identify dysfunctional elements in their organisational system as well as employees who are willing to take ‘shortcuts’ (Kedia, Luo & Rajgopal 2016).

Generali Group’s code of conduct requires the firm’s employees to report behaviours that might be considered a breach of law or international regulations, thereby promoting transparency and compliance. Duty to comply is especially important since the company has numerous branches around the world. According to an article on cultures of weak compliance, there is a positive association between non-compliance culture and risk of financial misreporting (Kedia, Luo & Rajgopal 2016). The article reveals that “a one standard deviation increase in our measure of firm-level non-compliance culture over its mean is associated with a 12.5 percent increase in the likelihood of a restatement a 25 percent increase in the likelihood of a SEC enforcement and an 11 percent increase in the likelihood of a private class action lawsuit” (Kedia, Luo & Rajgopal 2016, p. 376)

The most important implication of these findings is that non-compliance on company level can bread industry-wide non-compliance practices (Kedia, Luo & Rajgopal 2016). There is ample evidence confirming that “non-compliance culture is not subsumed by industry non-compliance culture” (Kedia, Luo & Rajgopal 2016, p. 376). Therefore, GRC professionals at Generali Group rely on GRC practices derived with the help of the most current cognitive, organisational, and behavioural studies.

Management of Regulatory Requirements

The third learning point that has to be taken away from the Masterclass is that in order to effectively manage regulatory requirements, global organisations such as Generali Group have to develop an adequate structure of moral leadership. Undoubtedly, leadership plays a key role in promoting values in companies. However, great leaders are not those individuals who are in possession of certain values, but rather ones that are able to translate their “values into action and actions into enduring organisational values” (Zimmerli, Richter & Holzinger 2007, p. 67).

Leadership scholars believe that in order for a leader to effectively communicate change in their organisations, they have to hold values and beliefs that are not contradictory in practice (FSPCOMP5) (Zimmerli, Richter & Holzinger 2007).

To achieve consistency in values, Generali Group has a code of conduct that helps it to remain in a leading position in the market by reflecting the diversity of its customer base. Also, the code is aligned with the highest international standards of sustainability, human and labour rights, and fair competition among others. Therefore, the insurance company is able to exercise corporate social responsibility and uphold its excellent reputation. By having expressed the firm’s values to employees, Generali Group’s leadership hope to shape their behaviour and to provide them with corporate identities that would be conducive to the creation of compliance culture. The company recognises that leaders’ values can be influenced by organisational history; therefore, the story of the company is presented in such a manner as to narrow the gap between organisational and personal values of its management.

Utilisation and recommendations for business activities:

In terms or practical application of the key learning points described above, Generali Group’s GRC practitioners have to ensure that both management and employees of the company understand benefits of instilling a culture of compliance. These benefits include, but are not limited to, cost savings, revenue growth, and reduction of risk of adverse consequences.

To this end, the company has to revise its code of conduct in order to communicate effectively to its professionals that they are personally responsible for breaches of regulations as well as all their actions. Generali Group has to clearly state in its code of conduct that it has zero tolerance for corruption in all its forms (FSPCOMP7) (Fox 2013).

Furthermore, the company’s GRC practitioners have to develop and implement comprehensive processes and procedures aimed at strengthening proactive trustworthy behaviour. The creation of a compliance committee, which governs and oversees compliance functions of the firm, is an important step to make sure that, each business unit has a high level of integrity and accountability. Also, the company must have Risk Management and Compliance Policy that serves as a framework for developing effective internal controls. These controls will help to quickly recognise company’s risks and compliance incidents and ensure that corrective actions are taken by appropriate levels of management (Fox 2013).

Generali Group’s code of ethics should mention that its active system of compliance controls is aligned with its attitude of zero tolerance towards corruption.

Moreover, the company has to ensure that its hiring process attracts leaders whose values are aligned with Generali Group’s mission and strategic objectives. To accomplish this, it is necessary to use behaviour-specific questions for soliciting information about past actions of potential candidates (Adler 2012). A review team consisting of department leaders from all company’s units, that will “evaluate feedback about job candidates that is captured by each interviewer” (Smith 2014, para. 4), must also be created. It will make easier the assessment of strengths and weaknesses of each candidate and guarantee that they measure up to the company’s core values. GRC practitioners will help to ensure that leaders are not drifting away from both regulatory requirements and strategic objectives of Generali Group after they have been hired.

Conclusion

The research conducted on the Masterclass topic has helped me to understand better the importance of cultural ethics in managing regulation risks. The most important actions that have to be taken to achieve compliance culture are behavioural and cultural education, the development of effective RRM practices, and monitoring of compliance activities.

Masterclass 5: The Effective Use of Information Technology in Governance, Risk, and Compliance

Preamble

Generali Worldwide (hereinafter referred to as Generali Group) recognises the need for the effective and safe use of information technology (IT) for furthering its governance, risk, and compliance (GRC) functions. The company’s GRC practitioners take a holistic view of principles governing IT’s security context when making decisions about its GRC functionality. They also recognise the importance of aligning IT solutions with the company’s vision, mission, and objectives. Therefore, in order to guarantee flexibility and development of maturing GRC practices, Generali Group’s GRC support specialists have opted for a bespoke IT security solution (Generali Group 2016).

The company’s centralised IT architecture allows its GRC practitioners to access and control a large number of organisation’s processes and activities without endangering the information assets. The following IT security principles allow ensuring that all IT GRC functions are carried out in a safe manner: individual responsibility, use of IT assets, identification of information, availability, and reliability maintenance, security of design, prudence, and segregation of duties (Generali Group 2016).

The aim of this reflective journal is to explore the use of IT in GRC for carrying out management, revision, and compliance functions. The topic is of high relevance to me because by understanding compliance technology, it is possible to ensure that GRC software solutions of Generali Group are aligned with the company’s vision, mission, and objectives, thereby eliminating security vulnerabilities and improving the organisation’s competitive edge.

Background reading

Required reading:

• FCA 2014, Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, Web.
• ICT 2015, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 6, International Compliance Training Ltd, Birmingham.
• Zitting, D 2015, Data-driven risk and performance management: using transactional data to detect fraud, ensure regulatory compliance, and outrun competitor, Apress, New York, NY.

Additional reading:

• Abdullah, N, Indulska, M & Sadiq S 2012, ‘A compliance management ontology: developing shared understanding through models’, in C Rolland, C Bodart, & C Cauvet (eds), Advanced information systems engineering, Springer, Berlin, pp 429-444.
• Abdullah, N, Indulska, M & Sadiq S 2012, ‘A compliance management ontology: developing shared understanding through models’, in C Rolland, C Bodart, & C Cauvet (eds), Advanced information systems engineering, Springer, Berlin, pp 429-444.
• PWC 2016, Data-driven: big decisions in the intelligence age, Web.
• PWC 2017, IT governance, risk and compliance (IT GRC), Web.
• Spanaki K, & Papazafeiropoulou, A 2013, ‘Analysing the governance, risk and compliance (Grc) implementation process: primary insights’, 21st European Conference on Information Systems (ECIS) conference proceedings, Uxbridge, London, pp. 1-9.
• SWIFT 2014, Compliance analytics: enhanced understanding and management of your financial crime-related risk, Web.

Key principles and issues raised within the Masterclass

Decision Making, Oversight, and Control

The first essential learning point from the Masterclass is that IT can be used to provide GRC specialists with the evidence necessary for decision-making, oversight, and control. Different companies have different regulatory environments that require the use of compliance technology, which can streamline GRC functions, thereby reducing overall costs (ICT 2015). When it comes to customer due diligence (CDD), GRC software solutions are integral to creating a customer’s profile at the point of application. It is only one example of ensuring compliance in the ever-changing regulatory environment in which financial services organisations such as Generali Group have to operate.

Unfortunately, only around 60 percent of decision-making in major companies is based on solid data (PWC 2016). It means that decision cultures of many organisations still do not revolve around the use of modern algorithmic tools. Furthermore, the companies that are somewhat data-driven use available data to “support the conclusions they want” (PWC 2016, p. 2). The refusal to rely on IT GRC solutions is a dangerous trend that can expose a company to numerous compliance risks and diminish its competitive advantage.

Modern IT GRC solutions have management, execution, and control capabilities. However, effective implementation of such software packages depends on how they are aligned with a company’s mission, vision, and objectives as well as GRC specifics that may substantially vary across its different branches. Therefore, in order to ensure that IT GRC solutions necessary for data gathering and oversight of compliance matters, provide reasonable assurance of resilience and security from a company’s operating model perspective, it is necessary to consider the use of bespoke solutions. There is also an option of hiring a third party for the delivery of IT GRC services (FCA 2014). However, after analysing key technical and legal areas of interest, Generali Group has decided against outsourcing its critical technology services (Generali Group 2016).

For an IT GRC solution to deliver one of its benefits of providing GRC practitioners with information aiding their decision-making process, enterprise compliance technology has to be centralised, structured, and organised. There is ample evidence suggesting that companies with above-average IT GRC performance, which is achieved with the help of core structure integration, have “more than 20 percent higher profitability than firms with poor governance” (PWC 2017, para. 7). An import part of achieving a high level of IT GRC performance is to centralise data storage. Not only does it help to meet regulatory requirements but it is also beneficial from a practical point of view. Namely, a financial services organisation that has a homogenous IT platform with central data storage can prove “traceability and liability of information in financial reports” (ICT 2015, p. 7). Moreover, localised data centers will allow more efficient control of corrective actions that have to be taken by a company.

Compliance Analytics

The second learning point of the Masterclass that has to be remembered is that compliance analytics is an invaluable tool helping to assess information from a variety of data sources in order to improve a company’s GRC potential (Zitting 2015). According to Spanaki and Papazafeiropoulou (2013), the Sarbanes-Oxley Act of 2002 necessitated new approaches to a company’s GRC strategy. Many companies used to build their GRC activities around detective measures that come in the form of retrospective reporting (FSPCOMP11). Unfortunately, after-the-fact IT forensics substantially reduce the time for remediation of control deficiencies, thereby undermining the effectiveness of compliance initiatives (Abdullah, Indulska & Sadiq 2012). Automated detection through compliance analytics is an alternative approach to traditional detective measures.

It can be argued that the use of compliance analytics is an effective method for eliminating compliance gaps and predicting policy breaches. Society for Worldwide Interbank Financial Telecommunication (SWIFT) Compliance Analytics is a data-mining platform that can be used by financial services organisations for the detection of financial crime compliance (FCC) risks (ICT 2015). The platform allows its users to “identify behavioural anomalies, unusual patterns and trends, hidden relationships, and high levels of activity with high-risk countries and entities” (SWIFT 2014, p. 1). This learning point is connected to the previous one in that the centralisation of data at all levels is important for conducing relevant investigations by a compliance analytics system. Effective risk management analytics are only possible when standardised data are gathered at a single point of an institution.

Use of IT in Know Your Customer (KYC)

The third learning point is that IT can be effectively used to conduct KYC activities, which are essential for CDD. Despite the preponderance of the evidence, that effective gathering and sharing of KYC information between financial institutions decreases compliance risks, many organisations still rely on legacy systems that hamper the flow of KYC data (ICT 2015). Not only such legacy solutions, which are often based on manual processing, increase error occurrence rates and create regulation risks, but they also diminish the overall quality of client experience.

KYC automation is an area of IT that has been effectively explored by SWIFT in order to provide banks with access to standardised client data through a secured online portal (ICT 2015). It should be mentioned that there are several companies specialising in the delivery of such services, with KYC Exchange Net AG being the largest (FSPCOMP14). Such approach to due diligence allows classifying customers according to their key characteristics that include, but are not limited to, industry, size, risk, and entity. It should be mentioned that recent developments in mobile banking technologies have pushed providers of KYC automation services to include non-traditional customers who have been previously excluded from financial services (ICT 2015).

GRC specialists have to recognise that all KYC activities have to be treated from the Risk Based Approach (RBA) point of view. Choice of every KYC policy presupposes a trade-off; therefore, it is important to achieve an optimal balance between “false acceptance of an invalid identity claim” and “false rejection of a valid identity claim” (Gelb 2016, p. 3). With the help of modern KYC utility systems, it is possible to quickly process KYC documentation, thereby capturing potential information gaps in a timely manner. Also, KYC technological solutions that are based on RBA allow enhancing customer outcomes by avoiding unnecessary false positives (ICT 2015).

Utilisation and Recommendations

When it comes to practical applications of the learning points, Generali Group’s GRC specialists should use GRC functions of IT in order to enhance the quality of their decision making, compliance, and control. It is suggested that that compliance technology should be aligned with the organisation’s vision, mission, strategy, and goals. Subsequently, only bespoke IT solutions should be used for covering specific GRC activities and achieving an optimal level of alignment (ICT 2015).

In order to lower GRC risks in Generali Group, its compliance professionals should make use of SWIFT Compliance Analytics (SWIFT 2014). The service has continuous monitoring and auditing functions that are extremely efficient in detecting all kinds of FCC risks. The real time use of predictive analytics can help the company to introduce powerful prevention measures, thereby avoiding unfavourable future developments.

Efficient integration of IT GRC processes within the company’s control environment is not possible without introducing modern KYC technological solutions.

Conclusion

The research on the Masterclass topic has helped me to better understand the importance of the efficient use of IT in GRC activities of a financial services organisation. Now I know that Generali Group should try to eliminate its manual processing in order to achieve effective, risk-based analysis of KYC information and improve client experience.

Masterclass 6: Governance, Risk, and Compliance Leadership

Preamble

Similar to any other organisation involved in the provision of financial services, Generali Group requires high-quality governance, risk, and compliance (GRC) leadership. There is no doubt that in modern GRC contexts, even the best policies and procedures cannot function effectively without a positive GRC leadership (Blythe & Machold 2011). There are many character traits defining a leader; however, not all of them are conducive to the creation of an effective GRC environment. Therefore, GRC practitioners have to recognise leadership character attributes that are necessary for strengthening a company’s GRC culture.

In addition to choosing a proper model for leadership development, in which “each individual can contribute to the leadership whole” (Sowcik et al. 2015, p. 160), organisations have to ensure that their GRC culture thrives by aligning their vision, mission, and objectives with their ethical codes of conduct. The necessity to avoid GRC leadership failures is underscored by the fact that the world is heading in the direction of ever-increasing geopolitical, social, and economic interconnectedness, which is associated with a wide range of compliance risks (Sowcik et al. 2015). By promoting good governance, financial services organisations will be capable of quickly changing their regulatory focus and ensuring that they survive in the modern market landscape.

The aim of this reflective journal entry is to explore the essence of effective GRC leadership and highlight the importance of personal characteristics that enable the creation of a thriving compliance culture. The topic is of high relevance to me because the integration of compliance policies and procedures in a management structure of Generali Group hinges on the effectiveness of its leadership.

Background reading

Required reading:

• ICT 2015, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 7, International Compliance Training Ltd, Birmingham.
• Sowcik, M, Andenoro, M, McNutt, M & Murphy, S (eds) 2015, Leadership 2050: critical challenges, key contexts, and emerging trends, Emerald, Bingley.
• FSA 2002, An ethical framework for financial services, Web.

Additional reading:

• Black, J & Anderson, K 2013, Creating an ethical framework for the financial services industry, Web.
• Blythe, B & Machold, R 2011, The human side of GRC: the essence of governance, risk and compliance,
• IBE 2013, A review of the ethical aspects of corporate governance regulation and guidance in the EU, Web.
• Steinberg, R 2011, Governance, risk management, and compliance: it can’t happen to us—avoiding corporate disaster while driving success, John Wiley & Sons, Hoboken, NJ.
• Weinstein, S & Wild, C 2013, Legal risk management, governance and compliance: a guide to best practice from leading experts, Globe Law and Business, New York, NY.

Key principles and issues raised within the Masterclass

GRC Effectiveness and Leadership Characteristics

The first key learning point that has to be taken away from the Masterclass is that effectiveness of GRC hinges upon personal characteristics of a company’s GRC leaders. According to Blythe and Machold (2011), GRC practitioners in companies such as Enron and BP recognise that deficiencies in control culture of an organisation can be ascribed to character traits of its leaders. The scholars argue that the following general traits produce the strongest GRC environment: reachability, empathy, and humility (Blythe & Machold 2011). Self-promotion and complacency, on the other hand, can destroy GRC effectiveness.

Given the increasingly negative perception of corporate leaders and institutions they lead, it is necessary to ensure that GRC practitioners of financial services organisations strive to engender trust. To this end, a strengths inventory developed by Tom Rath can be used. The inventory contains the following items representing core leadership attributes: analyst, communicator, arranger, developer, connector, learner, and strategist (Blythe & Machold 2011). This fundamental competency can be only exercised if a leader is willing to include them in an overarching GRC strategy of a company (Weinstein & Wild 2013).

In addition to possessing core character traits, an effective GRC leader has to understand the risk profile of their organisation at all levels. Periodic culture-checks are also helpful for ensuring that resource allocation decisions are aligned with a company’s GRC strategy, which is necessary for predicting, managing, and responding to a variety of both internal and external risk factors (Weinstein & Wild 2013).

Good Governance

The second learning point is that good corporate governance is not simply a matter of compliance; rather, it is an interplay of leadership, culture, and ethics. Taking into considerations the fact that modern financial services organisations such as Generali Group operate in a dynamic environment, “it is not possible to limit governance to a set of fixed rules or methods” (ICT 2015, p. 16). Therefore, effective GRC practitioners recognise the importance of taking a principles-based approach to governance, which is capable of providing a company with the flexibility needed to adjust quickly to new regulatory realities.

GRC leaders are responsible for providing companies with a sense of ethical direction by incorporating principles of morality and integrity in their behaviour. Furthermore, since the notions of individual and organisational integrity are linked closely together, GRC leaders’ decision-making process should be guided by ideas of fairness and justice. Poor ethical standards can result in the following detrimental effects for an organisation: decrease in market confidence, deterioration of consumers’ protection, and increase in the rate of financial crime occurrence (FSA 2002).

In addition to monitoring their personal behaviour, an exceptional GRC leader has to develop a comprehensive system of incentives and levers for incentivising ethical actions of a company’s employees (FSPCOMP13). Such incentives can serve as benchmarks for competing against industry peers without risking a company’s reputation and public image (Black & Anderson 2013). Furthermore, “ethical scenario analysis and stress-testing” (Black & Anderson 2013, p. 3) can be effectively used by GRC practitioners to detect ethical weaknesses and increase awareness within their organisations.

Board’s Role

The third key learning point from the Masterclass is that a company’s board is responsible for the provision of the frame of reference for building an effective architecture for corporate governance. Therefore, the governance horizon of the future is associated with new board leadership structures that presuppose expansion of shareholders’ authority and rights (Steinberg 2011). There are proposals for splitting responsibilities of a board into two sets: monitoring of GRC function and value added counsel. Despite some flaws of this approach to the prevention of excessive risk taking, such model of board governance can eliminate many compliance issues (Steinberg 2011).

In order to ensure that “the board and senior executive powers operate jointly to prevent excessive risk taking or making decisions that could hinder firm’s capabilities or capacity in the future” (ICT 2015, p. 18), it is necessary to develop a fixed set of checks and balances. One of such balances is the introduction of independent non-executive directors (NEDs). According to the UK Corporate Governance Code issued in 2012, NEDs are necessary for monitoring management performance and reporting of performance (cited in ICT 2015).

To measure the performance of a board, effective GRC leaders rely on the following instruments: peer review, bottom-up review, review by function, completion tracking, and evaluation forms among others (ICT 2015). There are many key metrics that are used for tracking a board’s performance. The most conventional are asset size, goods, and services growth, capital development, and audit results (ICT 2015). The last metric is especially important for gaining a full perspective on a board’s effectiveness because by checking the veracity of a company’s depiction of its financial position, external auditors help to assess GRC success.

Another point that has to be remembered by aspiring GRC leaders is that there should be “a proper balance between management, the board of directors, and shareholders” (Steinberg 2011, p. 273). Sometimes, instead of focusing on the compliance and monitoring function, a board has to engage in the provision of value-added advice to a company’s CEO. A power of shareholders should not be discounted during decision making. In the UK, shareholders are capable of shifting a company’s compensation paradigm, by setting remuneration rates (Steinberg 2011).

Utilisation and recommendations

When it comes to utilising the learning points presented in the paper, GRC specialists of Generali Group have to adopt a strengths inventory developed by Tom Rath and transform it in accordance with their GRC framework (Blythe & Machold 2011).

When defining proper personal leadership characteristics, it is important to pay attention to a leader’s ability to create a big picture of all regulatory and risk areas by analysing compliance environment in which a company operates. This ability can be assessed with the help of online competency testing (FSPCOMP13). Furthermore, a wide range of emerging risks call for other skills such as maintenance of a productive dialogue and articulation of essential risks and driving GRC forces (Blythe & Machold 2011).

Given a strong connection between ethical leadership and effective governance practices, it is important to ensure that leaders act with integrity. Unfortunately, it is impossible to legislate ethical values. However, integrity requirements can be controlled with instruments such as GUBERNA Director’s Toolkit, which helps to guide a director’s behavior. Guidance on Board Effectiveness that has been developed by the UK’s Financial Reporting Council is another method for emphasising ethical behavior of a board (IBE 2013). The instrument can be used alongside codes and guidance developed by Organisation for Economic Co-operation and Development (OECD) and the UK Corporate Governance Code (FSPCOMP1) (ICT 2015).

When it comes to risk management and oversight in Generali Group, the company’s board has to make sure that senior management meets obligations outlined by the Financial Conduct Authority (FCA). These essential obligations include senior management arrangements, code of practice, and principles of business and threshold conditions (ICT 2015). Given that Generali Group’s directors constitute a part-time body, they should dedicate most of their time to monitoring activities and corrective actions.

Conclusion

The paper has outlined three learning points from the Masterclass. The research has helped me to understand that effective GRC culture can only thrive if leaders align a company’s vision, mission, and objectives with overarching GRC activities.

Masterclass 7: Using Corporate Governance Requirements for the Benefit of the Firm

Preamble

Corporate governance is referred to a set of rules, policies, relationships, and systems that governs a company and holds its management to account. A significant body of work has emerged in the area of corporate governance within the frameworks of the following theories: agency, transaction costs economics, stakeholder, stewardship, class hegemony, managerial hegemony, path dependence, political, institutional, and network governance among others (Okoye 2015). The interactions of these disparate theories has produced a complex system, which helps to balance the interests of different actors such as management, shareholders, a country’s government, and community in order to “achieve good governance outcomes and meet reasonable expectations of most investors in most situations” (ASX 2014, p. 3).

The development of corporate governance requirements has been driven by the global financial crisis of 2007-2009 and numerous instances of corporate misconduct (Deloitte 2015). Organisations such as World Bank, Global Corporate Governance Forum (GCGF), and the Organisation for Economic Cooperation and Development (OECD) have promoted the adoption of corporate governance codes. Just like any other financial services organisation, an insurance company, Generali Group, needs a system of corporate governance codes that will satisfy stakeholders’ desire for transparency and accountability. The implementation of principles of good governance can be used for Generali Group’s benefit if the company takes a holistic, innovative, and authentic approach to it.

The relevance of this topic to me is underscored by the fact that in order to make sure that Generali Group preserves its competitive edge, it has to ensure that its corporate governance rules, policies, and procedures are consistent with effective risk management and promote safe insurance undertakings at all levels. The aim of this reflective journal entry is to explore how a system of corporate governance requirements can be used by for the company’s benefit.

Background reading

Required reading:

• Deloitte 2015, The changing role of compliance.
• ICT 2016, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 8, International Compliance Training Ltd, Birmingham.
• Okoye, N 2015, Behavioural risks in corporate governance: regulatory intervention as a risk management mechanism, Routledge, New York, NY.
• Tricker, B 2015, Corporate governance: principles, policies and practices, 3rd edn, Oxford University Press, Oxford.

Additional reading:

• ASX 2014, Corporate governance principles and recommendations.
• Kearns, P 2014, The 4th pillar—mature organisations are learning organisations, Web.
• Mallin, C 2013, Corporate governance, 4th edn, Oxford University Press, Oxford.
• Maturity Institute n.d., The 10 pillars, Web.
• OM Services n.d., Omindex explained, Web.
• Rampersad, H & Hussain, S 2014, Authentic governance: aligning personal governance with corporate governance, Springer, New York, NY.

Key principles and issues raised within the Masterclass

Change

The first key learning point is that governance, risk, and control (GRC) practitioners to drive change within their organisations can use corporate governance requirements. In order to engender support for GRC activities, it is necessary to make sure that they reduce costs and add value to a company (ICT 2016). It cannot be achieved without changing behaviour of individuals working at all levels of a firm. Leaders espousing principles of authentic governance can bring about the change. Authentic corporate governance refers to “systematic process of continuous gradual, and routine personal improvement, steering, and learning that lead to sustainable high personal performance and ethical personal excellence” (Rampersad & Hussain 2014, p. 5).

The main objective of authentic governance, which radically differs from traditional corporate governance concepts, is to achieve high corporate performance through personal change. Such change can help GRC leaders not only to meet compliance mandate but also to achieve sustainable development of their organisations. The following two models can be used to create a paradigm of shift in a company, which will deliver perpetual transformational process: ‘Be, Know, Do’ and ‘Pinpoint, Record and Reward.’

‘Be, Know, Do’ is a leadership model that can cultivate ethical behaviour in a sustainable way (ICT 2016). The ‘Be’ principle of the model helps compliance specialists to determine which personal character attributes are associated with an effective GRC culture. The ‘Know’ principle is necessary for identification of key GRC knowledge. The ‘Do’ principle emphasises on the action component of a compliance culture (ICT 2016). Pinpoint, Record and Reward is a model that is congruent with the principles of authentic governance. ‘Pinpoint’ is the first component of the model, which presupposes identification of desired corporate behaviours. The second component is monitoring of these behaviours. ‘Reward’ is the third component of the model, which is based on the reinforcement of desired behaviours through meaningful incentives (FSPCOMP7) (ICT 2016).

Maturity

The second learning point is that effective GRC practitioners can benefit their companies by focusing on maturity features of their companies and aligning them with GRC requirements. It is important to understand that the value creation process goes beyond compliance; therefore, a proactive approach is needed to ensure that an organisation conforms with the letter of existing and future regulations and their spirit. The Maturity framework can be utilised for developing “a coherent enterprise-wide management programme that is holistic in its ambitions and goals” (ICT 2016, p. 8). The framework has been developed by the Maturity Institute and helps compliance specialists to maximise value of their organisations and mitigate a wide range risks.

The Maturity framework is based on ten principles/pillars, which rest on the notion of human capital management. The first principle is that organisations have to focus on societal value instead of profits. The second pillar of the framework is the emphasis on the importance of human value in employment relationship (Kearns 2013). The third pillar is the holistic approach to corporate governance. The fourth principle is knowledge management as a core organisational value. The principle requires GRC practitioners to “show their organisations how to learn to make an honest profit in the face of any pressures to do otherwise” (Kearns 2014, para. 5). The fifth principle is that in addition to material risk management, mature companies should engage in human capital risk management, which involves analysis of employees’ risk factors. The sixth principle is the integration of a human resources (HR) strategy into a broader business strategy (Maturity Institute n.d.). A philosophy of perpetual improvement is the seventh principle of the framework. The eighth principle is trust, engagement, and cooperation. Performance culture, which is essential for the long-time survival of every organisation, is the ninth principle. The final pillar of the framework is open and transparent communication (Maturity Institute n.d.).

Leadership of a Compliance Function

The third learning point from the Masterclass is that by effectively leading a compliance function of a company, GRC leaders can realign shareholders’ interests with those of stakeholders, thereby increasing the long-term value of an organisation. Under stakeholder theory, it is clear that a company would be better off if its leadership is focused on maximising stakeholder value (Mallin 2013). There are several sets of stakeholders: employees, interest groups, communities, customers, creditors, suppliers and government among others. The involvement of shareholders and stakeholders into the governance of a company hinges upon national laws and a company’s codes and principles (Mallin 2013). It is a GRC leader’s role to make sure that a governance system of their organisation is propitious for the creation of a productive dialogue between these two groups of people.

An overriding criterion of GRC activities in the company has to be value creation for both shareholders and stakeholder. In order to manage shareholder-stakeholder divide effectively, GRC leaders have to take control of a compliance function by creating a vision for compliance. To be effective, a compliance function has to be governed according to ‘the top from the top’ principle (ICT 2016). It means that a GRC leader has to become a driver of compliance who always keeps best possible outcomes for both shareholders and stakeholders of their company in mind.

Utilisation and recommendations

In order to utilise the learning points in Generali Group, the company’s GRC practitioners have to become agents of change who “steer the organisation towards ethical corporate excellence” (Rampersad & Hussain 2014, p. 14). To this end, the Plan-Deploy-Act-Cultivate cycle can be used. The framework helps to develop an actionable code of corporate governance following four steps. It will help the company to make sure that in an attempt to create the short-term value for its shareholders it does not compromise the long-term value for its stakeholders (FSPCOMP5).

It is imperative to utilise the Maturity framework, which will help to avoid disjointed HR strategies and maximise the efficiency of resource and information utilisation. GRC practitioners of Generali Group can start by rating their company along key indices of organisational maturity rating (OMR) under the guidance of Omindex experts (OM Services n.d.). The rating will help to assess Generali Group’s value potential from two perspectives: operational risk and total stakeholders value. After having a better understanding of the company’s maturity, GRC specialists will be able to reassess motivations that “underlie the values expressed by the firm and the value placed on human capital” (ICT 2016, p. 8).

In order to lead a compliance function of the company, it is necessary to develop an internal communication plan, which through internal communication channels of the company will help to engender support and trust for both GRC leadership and overarching GRC goals (Tricker 2015). Furthermore, GRC practitioners can use reinforcement of desired behaviours through financial incentives for those teams and individuals who help to strengthen compliance culture of the company (FSPCOMP9).

Conclusion

The paper has shown that GRC practitioners to introduce meaningful changes to their organisations can use corporate governance requirements. It has been argued that by understanding a unique interplay between stakeholders and shareholders, it is possible to integrate and harmonise two groups of interests, thereby maximising the long-term business value.

Masterclass 8: Developments in Financial Crime

Preamble

Financial crime is a type of criminal behaviour that occurs as a result of a confluence of economic gain-based motivation and opportunity. Financial crime or white-collar crime negatively affects nations, governments, and organisations by threatening the stability of financial systems and exposing them to substantial financial losses (Edelbacher, Kratcoski & Theil 2012). Governance, risk, and compliance (GRC) practitioners of an insurance company, Generali Group, are cognisant of the fact that false representation, misuse of assets, forgery, theft, corruption and other types of financial crime have to be prevented at all cost (Generali Group 2014). Financial institutions are especially vulnerable to both financial crimes and sub-crime threats; therefore, there is a pressing need for the implementation of proper risk-based countermeasures.

The majority of financial crime risks constitutes internal threats that emanate from companies’ staff and threaten to undermine both their financial standing and reputation. There are many methods for financial crime risk mitigation that concentrate on the following core areas, namely; governance, structure, risk assessment, policies and procedures, staff recruitment, and quality oversight (ICT 2015). Effective GRC specialists have to recognise vulnerabilities of their organisations, as well as products and services they produce, to both internal and external threats.

This reflective journal entry aims to explicate the recent financial crime developments from a GRC practitioner’s point of view. It will also explore the methods for safeguarding financial services organisations against internal and external threats. The topic is highly relevant to me because financial fraud is extremely prevalent in the insurance industry.

Background reading

Required reading:

• ICT 2015, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 9, International Compliance Training Ltd, Birmingham.
• Donaldson, S, Siegel, S, Williams, C & Aslam, A 2015, Enterprise cybersecurity: how to build a successful cyberdefense program against advanced threats, Apress, New York, NY.

Additional reading:

• Alhosani, W 2016, Anti-money laundering: a comparative and critical analysis of the UK and UAE’s financial intelligence unites, Palgrave Macmillan, New York, NY.
• Bank Info Security 2014, How to fight fraud with artificial intelligence and intelligent analytics.
• Carnegie Mellon 2012, Insider threat study: illicit cyber activity involving fraud in the U.S. financial services sector.
• Edelbacher, M, Kratcoski, P & Theil, M 2012, Financial crimes: a threat to global security, CRC Press, Boca Raton, FL.
• FATF 2012, The FATF recommendations, Web.
•  Generali Group 2014, Anti-fraud policy, Web.
• Gottschalk, P 2014, Financial crime and knowledge workers: an empirical study of defence lawyers and white-collar criminals, Palgrave Macmillan, New York, NY.
• Hongming C 2016, Financial crime in China: developments, sanctions, and the systemic spread of corruption, Palgrave Macmillan, New York, NY.
• Manky, D 2017, Petya, Wannacry, and Mirai—is this the new normal?, Web.
• MAS 2017, Provision of digital advisory services, Web.
• Plenderleith, J 2017, Artificial intelligence in financial services: here to stay?, Web.
• Skife, H, Veenman, D & Wangerin D 2014, ‘Internal control over financial reporting and managerial rent extraction: evidence from the profitability of insider trading’, Journal of Accounting and Economics, vol. 55, no. 1, pp. 91-110.

Key principles and issues raised within the Masterclass

Risk Exposure

The first key learning point is that organisations engaging in the provision of financial services are characterised by a high level of financial crime risk exposure. Intentionally harmful activities that are driven by economic gain-based intentions have usually been associated with Western countries. However, recently even developing countries that are undergoing rapid marketisation have witnessed a surge in white-collar crimes. For example, some analysts suggest that since 2000, Chinese banks lost more than $2.8 billion annually due to bank fraud (Hongming 2016). This development has led to the introduction of amendments to the country’s criminal law and triggered numerous investigations conducted by the China Securities Regulatory Commission (CSRC) Enforcement Bureau (Hongming 2016). Furthermore, governments around the world impose uniform risk-based countermeasures on their financial institutions.

Money laundering (ML) is a type of financial crime that is especially prevalent among financial services organisations. ML refers to “the process which criminals use to obscure the real origin of the proceeds which have been derived from criminal activities” (Alhosani 2016, p. 1). Compliance officers should carefully follow the Financial Action Task Force (FATF) recommendations as well as to make use of a toolkit developed by the organisation in order to avoid negative outcomes (FSPAML8).

Artificial intelligence (AI) is a new frontier of GRC. Until recently, the technology has been used mainly for the provision of digital advisory services through client-facing tools (MAS 2017). Professionals from many domains have recognised its effectiveness and low cost. However, it is also associated with additional technology risks, which have been addressed by the Monetary Authority of Singapore (MAS) (Plenderleith 2017). AI can also be used effectively for fraud prevention. In fact, the technology has been applied successfully to prevent illicit activities in a wide range of business sectors. Financial services organisations rely on AI to analyse patterns of card and endpoint access usage (FSPAML18). RBS WorldPay (payment-processing firm), has utilised AI for several years to trace illicit transactions, thereby preventing card fraud (Bank Info Security 2014). MasterCard has also incorporated the use of AI into its risk management activities.

Effective GRC leaders have to take a proactive approach to mitigating financial crime risks. Not only to help avoid negative consequences of fraudulent activities, but also to make it easier to “address the influx of new regulatory challenges” (ICT 2015, p. 10). However, a successful compliance culture represents a confluence of proactive and reactive measures. The effective alignment of such measures can be achieved if GRC practitioners develop a flexible policy approach allowing them to address both domain.

Internal Risks

The second learning point is that financial crime is a threat that often arises from within a company. A study of white-collar criminals shows that staff members are the ones who are responsible for unlawful behaviour and perpetration of crimes such as embezzlement, accepting bribes, misusing pension funds, and engaging in other abuses of trust (Gottschalk 2014). By analysing the results of global economic crime surveys, the study has shown that 75 percent of companies reporting lawbreaking have experienced asset misappropriation, 36 percent accounting fraud, 23 percent intellectual property infringement, 14 percent corruption, and 12 percent money laundering (Gottschalk 2014). Another study conducted by the Credit Industry Fraud Avoidance System (CIFAS) shows that in 2011, insiders committed 60 percent of frauds (ICT 2015).

Corruption and fraud hinder economic development and undermine the reputation of financial services organisations. Despite the fact that recent years have seen a decline in financial fraud, which points to the effectiveness of anti-fraud policies, GRC practitioners have to recognise both areas of abuse and specific fraudulent activities in which malicious insiders are known to engage (Carnegie Mellon 2012). For example, unauthorised trading and insider dealing are two illegal activities that can destroy financial institutions. Therefore, GRC leaders are responsible for developing and implementing governance systems that have controls against both low-level and high-level internal crimes.

According to Skife, Veenman, and Wangerin (2014), there is a link between the amount of capital gains from insider trading and effectiveness of internal control over financial reporting (ICFR). The researchers argue that ‘tone at the top’ approach is “the foundation of effective internal control” (Skife, Veenman & Wangerin 2014, p. 92). It means that in order to dissuade some internal financial crimes, it is necessary to improve the quality of ICFR in a company (FSPCFC4; FSPCFC7). GRC specialists have to be cognisant of the fact that a high level of chief executive officer (CEO) and chief financial officer (CFO) turnover is also indicative of ineffectual ICFR (Skife, Veenman & Wangerin 2014).

Cybercrime Threats

The third learning point from the Masterclass is that cybercriminals are often motivated by financial reasons; therefore, financial services organisations are vulnerable to cyberattacks. According to a recent investigation conducted by Federal Bureau of Investigation’s Internet Crime Complaint’s Centre, the list of the most perpetrated cybercrimes includes the following items: non-delivery payment, identity theft, computer crimes, miscellaneous fraud, credit card fraud, and overpayment fraud among others (ICT 2015). Thus, cyberdefence in financial services organisations has to revolve around “protecting the confidentiality, integrity, and availability of data and the IT systems that process it” (Donaldson et al. 2015, p. 9).

Utilisation and recommendations

The use of promotion, protection, and enhancement (PPE) instruments, developed by the European Commission, can be fairly effective in fighting against many types of financial crime (ICT 2015). GRC practitioners working in financial services sectors should apply the tools in the following areas: culpability, accountability, integrity, stewardship, proportionality, and asset recovery (ICT 2015).

In order to diminish the risk of financial crime occurrence, GRC practitioners of Generali Group, in addition to using the PPE tools, should also recognise personality traits of white-collar criminals (FSPCFC16). According to Gottschalk (2014), these traits include, but are not limited to, narcissism, hubris, social dominance, and Machiavellianism. In addition, neurotic personality types often display a lack of behavioural self-control that can result in the desire to take risks. Gottschalk (2014, p. 7) argues that white-collar criminality is also associated with gender and claims that people engaging in financial crime are usually “from 26 to 40 years of age, earn a substantial annual income, and have been employed for between 2 and 5 years.” It means that effective pre-employment screening practices can deter financial fraud. Also, a special report issued by Carnegie Mellon (2012, p. 15) recommends to reach out employees experiencing financial struggles and offer them assistance in order to prevent them from “finding illegal means of solving their problems.”

GRC specialists have to ensure that both data and infrastructure of their companies’ IT systems are protected against cyber threats. To this end, they have to implement enterprise cybersecurity by organising personnel, selecting security controls, defining scopes of security policies, implementing them, and monitoring security effectiveness (FSPAML18) (Donaldson et al. 2015). Security practitioners of Generali Group should also make use of Internet Organised Crime Threat Assessment (iOCTA). Lastly, it is important to protect companies’ data and resources against high profile ransom cyber-attacks such as Mirai, Petya, and Wannacry by segmenting vertical and horizontal traffic (Manky 2017).

Conclusion

The paper has outlined recent trends associated with financial crime from a GRC practitioner’s point of view. It has explicated effective methods for protecting the financial sector institutions from both internal and external threats. Given that Generali Group is vulnerable to white-collar crimes, it is hard to overestimate the relevance of this topic to me.

Masterclass Executive Summary

Preamble

Compliance is not just a set of policies that have to be followed by a company; rather, it is an overarching culture, which helps an organisation to make sound judgments and prevents it from running afoul with the law. The application of skilled governance, risk management, and compliance (GRC) principles to corporate business activities is essential for solving a great number of fundamental concerns regularly faced by modern financial services organisations.

Because of manifold overlapping of key GRC areas, it is impossible to develop and implement a comprehensive GRC strategy without effective leadership, which is necessary to ensure that the human vector of an organisation is aligned with its goals and objectives. Therefore, effective GRC leaders should be more than skilled GRC practitioners.

Outstanding GRC practitioners are individuals who explore capabilities of modern information technologies (IT) systems to support GRC activities in their organisations. There is no denying that it is not possible to establish a wide systemic oversight without taking an integrated approach to automating a company’s GRC architecture, thereby securing the boundaries of business activities against a wide range of internal and external threats.

Background reading

Required reading:

• Donaldson, S, Siegel, S, Williams, C & Aslam, A 2015, Enterprise cybersecurity: how to build a successful cyberdefense program against advanced threats, Apress, New York, NY.
• ICT 2015a, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 7, International Compliance Training Ltd, Birmingham.
• ICT 2015b, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 3, International Compliance Training Ltd, Birmingham.
• Bradt, G, Check, J, Pedraza, J 2006, The new leader’s 100-day action plan: how to take charge, build your team, and get immediate results, Wiley, New Jersey, NJ.

Additional reading:

• Abdullah, N, Indulska, M & Sadiq S 2012, ‘A compliance management ontology: developing shared understanding through models’, in C Rolland, C Bodart, & C Cauvet (eds), Advanced information systems engineering, Springer, Berlin, pp 429-444.
• Bank Info Security 2014, How to fight fraud with artificial intelligence and intelligent analytics.
• Black, J & Anderson, K 2013, Creating an ethical framework for the financial services industry.
• Blythe, B & Machold, R 2011, The human side of GRC: the essence of governance, risk and compliance, Web.
• Chmielewski, C 2004, Values and culture in ethical decision making.
• FRC 2016, Corporate culture and the role of boards, Web.
• Gozman, D & Currie, W 2015, ‘Managing governance, risk, and compliance for post-crisis regulatory change: a model of IS capabilities for financial organisations’, 48th Hawaii International Conference on System Sciences (HICSS) conference proceedings, Honolulu, Hawaii, pp. 4661-4698.
• Hunt, R 2014, ‘Why governance, risk and compliance projects fail – and how to prevent it’, Computer Fraud & Security, no. 6, pp. 5-7.
• Nissen, V & Marekfia, W 2013, ‘Towards a research agenda for strategic governance, risk, and compliance (GRC) management’, 15th Institute of Electrical and Electronics Engineers Conference on Business Informatics (CBI) conference proceedings, Vienna, Austria, pp. 124-134.
• SWIFT 2014, Compliance analytics: enhanced understanding and management of your financial crime-related risk, Web.
• Zimmerli, W, Richter, K & Holzinger, M 2007, Corporate ethics and corporate governance, Springer, New York, NY.

Key principles and issues raised within the Programme

GRC Leadership and the Human Dimension

In the wake of the 2007 crisis, it became clear that the financial services industry cannot function without effective GRC leadership. The rapid expansion of GRC requirements necessitates agile, resilient, and visionary leaders who are capable of ensuring that a company acts in accordance not only with the size and scale of its operations but also within the boundaries of an ethical framework for corporate governance (Black & Anderson 2013).

Exceptional GRC leaders recognise that human element is a central part of the GRC-related culture. Evidence from behavioural sciences research points to the fact that a ‘tone at the top’ approach is essential for structuring controls “that can be used to influence the determinants of compliance behaviour” (Nissen & Marekfia 2013, p. 126). Therefore, in order to strike an optimal balance between a company’s strategy and GRC programs, it is necessary to align both explicit and implicit GRC activities with the behaviour of an entity’s employees by showing a strong commitment to compliance principles.

The leaders who are responsible for implementing GRC initiatives not only should properly tailor their communication strategies to influence staff throughout a company but they also have to demonstrate their commitment to business change through prioritisation of resources (Hunt 2014). Those GRC practitioners whose focus during the implementation stage of GRC projects is on the technical deliverables fail to recognise that “implementing a GRC initiative effectively is not possible without the support of staff throughout the organisation” (Hunt 2014, p. 6). To achieve such support, leaders should possess a set of specific character traits. The following leadership attributes have been found to be conducive to the development of a strong GRC environment: reachability, humility, and empathy (Blythe & Machold 2011). There are also traits that can destroy the effectiveness of a GRC strategy. These traits are self-promotion and self-righteousness. It has to be borne in mind that moral leadership does not exist without leaders showing consistency in their values, which manifests in actions that can be translated “into enduring organisational values” (Zimmerli, Richter & Holzinger 2007, p. 67).

One of the most important learning points from the programme can be formulated as follows:

The establishment of ethical GRC practice hinges on character traits and ethics of a leader who by taking responsibility and guiding by example controls the human dimension of a GRC framework.

Compliance Culture

Another learning point that has to be taken away from the programme is that compliance culture does not only help financial organisations to navigate complexities of the modern regulatory landscape, but it also supports safe corporate growth by streamlining alignment between risk management and strategic planning. It has to do with the fact that while risk taking is essential for outperforming industry peers, it is important to ensure that financial services organisations do not engage in quasi-legal activities that more often than not permanently damage businesses.

In light of significant regulatory changes that usually follow major geopolitical events such as Brexit, GRC leaders have to ensure that their organisations are capable of taking a flexible approach to complying with new requirements and obligations. In order to achieve positive regulatory outcomes, human skills, attitudes, and behaviours should be informed by “ethical standards and the perspective that are consistent with organisational success” (Gozman & Currie 2015, p. 4661). A culture of honesty can be controlled at the board level; therefore, GRC practitioners have to ensure that the discourse on ethics takes place and helps to drive corporate performance.

Compliance culture is of the highest importance in cases when a financial services organisations outsource some of their functions to third parties. It has to do with the fact that subcontract services performed at different nodes of a firm’s supply chain are inherently associated with the acquirement of additional risks (ICT 2015a). Therefore, the adherence to compliance and ethical principles by subcontractors has to become a key element of consideration when designing a GRC framework.

IT, Payments Systems, and Financial Crime

The development of IT has promoted the reduction of transaction costs and enhanced liquidity of financial markets by introducing new payments systems. Most importantly, the increased automation has helped to improve GRC functionality. Namely, the adoption of IT solutions has changed the way information for GRC use is being collected, stored, and reported (Donaldson et al. 2015). The emergence of IT compliance analytics has made it possible to quickly eradicate and control deficiencies that undermine the effectiveness of compliance initiatives (Abdullah, Indulska & Sadiq 2012). By gathering data at a single point of a financial services organisation, it has also become possible to “identify behavioural anomalies, unusual patterns and trends, hidden relationships, and high levels of activity with high-risk countries and entities” (SWIFT 2014, p. 1).

Despite its numerous benefits, the introduction of IT into organisational processes of financial institutions is associated with the inherent risk of financial crime. Crime in finance or white collar crime is nonviolent criminal behaviour that transpires as a result of a combination of financial gain-directed motivation and opportunity. An effective GRC specialist should be able to quickly recognise and eliminate financial crime vulnerabilities of their companies.

There are two types of financial crime threats: internal and external. More often than not internal risks arise from within an organisation. There is ample evidence suggesting that lawbreaking such as misuse of pension funds, bribery, embezzlement, intellectual property infringement, and money laundering among others is perpetrated by staff members. A survey issued by the Credit Industry Fraud Avoidance System (CIFAS) reveals that insiders commit more than 60 percent of financial crimes (ICT 2015b). It means that GRC leaders should place an emphasis on internal areas of abuse in order to avoid corruption and fraud. It has to be borne in mind that unauthorised trading and insider dealing are the most pernicious types of illegal activities that can undermine the stability of financial organisations.

Artificial intelligence (AI) is a new line of defence in fraud prevention. In addition to being utilized for the provision of online advisory services, it can be applied to the detection of illicit activities such as card fraud (Bank Info Security 2014). GRC should introduce the technology into their companies, thereby mitigating the risk of illicit transactions and other fraudulent activities associated with the world of finance.

Utilisation and recommendations

In terms of the practical application of the key points raised in the programme to business activities of Generali Group, it can be argued that extremes on an ethical continuum can be avoided if GRC leaders utilize the following rules. The rule of private gain helps to avoid gaining something at the expense of others, which is extremely important in the context of financial services organisations that function on the win-win basis. Another rule formulated by Chmielewski (2004) urges leaders to ask ‘who would be hurt?’ during their process of decision making. Also, it is extremely important that GRC practitioners always try to align their actions with an organisation’s core values (FSPCOMP5).

The programme has helped me to understand that in order to facilitate the development of compliance culture in Generali Group, the company’s GRC leadership has to ensure that its code of conduct not only helps to comply with regulatory requirements but also urges employees to report non-compliance behaviour (FSPCOMP8). Duty to report has to be explicitly outlined in the code, thereby promoting transparency, which is essential for a company that has many branches around the world (FSPAML20). Compliance culture should also be promoted at the board level; therefore, GRC practitioners have to ensure its accountability by following the guidelines of a report issued by the UK Financial Reporting Council in 2016 (FSPCOMP12) (FRC 2016).

The programme was key for developing critical-thinking and organizing skills, which are essential for satisfying fiduciary and security requirements of financial services organisations, reducing the rate of occurrence of financial crimes, and promoting corporate growth.