Professional Postgraduate Diploma in GRC – Masterclass Evaluation template for Executive Summary
Preamble
Generali Worldwide Insurance Company (hereinafter referred to as Generali Group) recognizes the need for the effective and safe use of information technology (IT) for furthering its governance, risk, and compliance (GRC) functions. The company’s GRC practitioners take a holistic view of principles governing IT’s security context when making decisions about its GRC functionality. They also recognize the importance of aligning IT solutions with the company’s vision, mission, and objectives. Therefore, to guarantee the flexibility and development of maturing GRC practices, Generali Group’s GRC support specialists have opted for a bespoke IT security solution (Generali Group 2016).
The company’s centralized IT architecture allows its GRC practitioners to access and control a large number of organization’s processes and activities without endangering the information assets. The following IT security principles allow ensuring that all IT GRC functions are carried out safely: individual responsibility, use of IT assets, identification of information, availability, reliability maintenance, the security of design, prudence, and segregation of duties (Generali Group 2016).
This reflective journal aims to explore the use of IT in GRC for carrying out management, revision, and compliance functions. The topic is of high relevance to me because by understanding compliance technology, it is possible to ensure that GRC software solutions of Generali Group are aligned with the company’s vision, mission, and objectives, thereby eliminating security vulnerabilities and improving the organization’s competitive edge.
Key principles and issues raised within the Master class
Decision Making, Oversight, and Control
The first essential learning point from the Masterclass is that IT can be used to provide GRC specialists with the evidence necessary for decision making, oversight, and control. Different companies have different regulatory environments that require the use of compliance technology, which can streamline GRC functions, thereby reducing overall costs (ICT 2015). When it comes to customer due diligence (CDD), GRC software solutions are integral to creating a customer’s profile at the point of application. It is only one example of ensuring compliance in the ever-changing regulatory environment in which financial services organizations such as Generali Group have to operate.
Unfortunately, only around 60 percent of decision-making in major companies is based on solid data (PWC 2016). It means that decision cultures of many organizations still do not revolve around the use of modern algorithmic tools. Furthermore, the companies that are somewhat data-driven use available data to “support the conclusions they want” (PWC 2016, p. 2). The refusal to rely on IT GRC solutions is a pernicious trend that can expose a company to numerous compliance risks and diminish its competitive advantage.
Modern IT GRC solutions have management, execution, and control capabilities. However, effective implementation of such software packages depends on how they are aligned with a company’s mission, vision, and objectives as well as GRC specifics that may substantially vary across its different branches. Therefore, to ensure that IT GRC solutions necessary for data gathering and oversight of compliance matters, provide reasonable assurance of resilience and security from a company’s operating model perspective, it is necessary to consider the use of bespoke solutions. There is also an option of hiring a third party for the delivery of IT GRC services (FCA 2014).
However, after analyzing key technical and legal areas of interest, Generali Group has decided against outsourcing its critical technology services (Generali Group 2016).
For an IT GRC solution to deliver one of its benefits of providing GRC practitioners with information aiding their decision-making process, enterprise compliance technology has to be centralized, structured and organized. There is ample evidence suggesting that companies with above-average IT GRC performance, which is achieved with the help of core structure integration, have “more than 20 percent higher profitability than firms with poor governance” (PWC 2017, para. 7).
An important part of achieving a high level of IT GRC performance is to centralize data storage. Not only does it help to meet regulatory requirements but it is also beneficial from a practical point of view. Namely, a financial services organization that has a homogenous IT platform with central data storage can prove “traceability and liability of information in financial reports” (ICT 2015, p. 7). Moreover, localized data centers will allow more efficient control of corrective actions that have to be taken by a company.
Compliance Analytics
The second learning point of the Masterclass that has to be remembered is that compliance analytics is an invaluable tool helping to assess information from a variety of data sources to improve a company’s GRC potential (Zitting 2015).
According to Spanaki and Papazafeiropoulou (2013), the Sarbanes-Oxley Act of 2002 necessitated new approaches to a company’s GRC strategy. Many companies used to build their GRC activities around detective measures that come in the form of retrospective reporting. Unfortunately, after-the-fact IT forensics substantially reduces the time for remediation of control deficiencies, thereby undermining the effectiveness of compliance initiatives (Abdullah, Indulska & Sadiq 2012). Automated detection through compliance analytics is an alternative approach to traditional detective measures.
It can be argued that the use of compliance analytics is an effective method for eliminating compliance gaps and predicting policy breaches. Society for Worldwide Interbank Financial Telecommunication (SWIFT) Compliance Analytics is a data-mining platform that can be used by financial services organizations for the detection of financial crime compliance (FCC) risks (ICT 2015). The platform allows its users to “identify behavioral anomalies, unusual patterns, and trends, hidden relationships, and high levels of activity with high-risk countries and entities” (SWIFT 2014, p. 1).
This learning point is connected to the previous one in that the centralization of data at all levels is important for conducting relevant investigations by a compliance analytics system. Effective risk management analytics are only possible when standardized data are gathered at a single point of an institution.
Use of IT in Know Your Customer (KYC)
The third learning point is that IT can be effectively used to conduct KYC activities, which are essential for CDD. Despite the preponderance of the evidence that effective gathering and sharing of KYC information between financial institutions decreases compliance risks, many organizations still rely on legacy systems that hamper the flow of KYC data (ICT 2015). Not only such legacy solutions, which are often based on manual processing, increase error occurrence rates, and create regulation risks, but they also diminish the overall quality of client experience.
KYC automation is an area of IT that has been effectively explored by SWIFT to provide banks with access to standardized client data through a secured online portal (ICT 2015). It should be mentioned that several companies are specializing in the delivery of such services, with KYC Exchange Net AG being the largest. Such an approach to due diligence allows classifying customers according to their key characteristics that include, but are not limited to, industry, size, risk, and entity. It should be mentioned that recent developments in mobile banking technologies have pushed providers of KYC automation services to include non-traditional customers who have been previously excluded from financial services (ICT 2015).
GRC specialists have to recognize that all KYC activities have to be treated from the risk-based approach (RBA) point of view. The choice of every KYC policy presupposes a trade-off; therefore, it is important to achieve an optimal balance between “false acceptance of an invalid identity claim” and “false rejection of a valid identity claim” (Gelb 2016, p. 3). With the help of modern KYC utility systems, it is possible to quickly process KYC documentation, thereby capturing potential information gaps promptly. Also, KYC technological solutions that are based on RBA allow enhancing customer outcomes by avoiding unnecessary false positives (ICT 2015).
Utilization and Recommendations
When it comes to practical applications of the learning points, GRC specialists of Generali Group have to use GRC functions of IT to enhance the quality of their decision making, compliance, and control. To this end, it is recommended to ensure that compliance technology is aligned with the organization’s vision, mission, strategy, and goals. Therefore, only bespoke IT solutions should be used for covering specific GRC activities and achieving an optimal level of alignment (ICT 2015).
To lower GRC risks in Generali Group, its compliance professionals should make use of SWIFT Compliance Analytics (SWIFT 2014). The service has continuous monitoring and auditing functions that are extremely efficient in detecting all kinds of FCC risks. The real-time use of predictive analytics can help the company to introduce powerful prevention measures, thereby avoiding unfavorable future developments.
The efficient integration of IT GRC processes within the company’s control environment is not possible without introducing modern KYC technological solutions.
Conclusion
The research on the Masterclass topic has helped me to better understand the importance of the efficient use of IT in the GRC activities of a financial services organization. Now I know that Generali Group should try to eliminate its manual processing to achieve effective, risk-based analysis of KYC information and improve client experience.
Reference List
Abdullah, N, Indulska, M & Sadiq S 2012, ‘A compliance management ontology: developing shared understanding through models’, in C Rolland, C Bodart, & C Chauvet (eds), Advanced information systems engineering, Springer, Berlin, pp 429-444. Web.
FCA 2014, Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions. Web.
Gelb, A 2016, Balancing financial integrity with financial inclusion: the risk-based approach to “Know Your Customer”. Web.
Generali Group 2016, Operational risk management guidelines—company IT security guidelines. Web.
ICT 2015, ICA professional postgraduate diploma in governance, risk and compliance: course manual – module 6, International Compliance Training Ltd, Birmingham. Web.
PWC 2016, Data-driven: big decisions in the intelligence age. Web.
PWC 2017, IT governance, risk and compliance (IT GRC). Web.
Spanaki K, & Papazafeiropoulou, A 2013, ‘Analysing the governance, risk and compliance (Grc) implementation process: primary insights’, 21stEuropean Conference on Information Systems (ECIS) conference proceedings, Uxbridge, London, pp. 1-9. Web.
SWIFT 2014, Compliance analytics: enhanced understanding and management of your financial crime-related risk. Web.
Zitting, D 2015, Data-driven risk and performance management: using transactional data to detect fraud, ensure regulatory compliance, and outrun competitor, Apress, New York, NY. Web.