GRC in the Digital Age

  1. Regulatory and industry landscape

As the tech revolution ripples across industries, we are starting to see the revolutionary disruptive potential. This will change regulatory and customer expectations, give easier access to both massive volumes and different types of data, with the potential to completely transform the industry landscape.

Regulators continue to emphasise the importance of a robust Governance-Risk-Control environment and sustainable systems & controls. With a continued threat from bad actors and increased regulatory and legislative focus, Financial Crime Risk is a top priority across all industry sectors, both in the UK and globally.

Unfortunately, the size of the actual problem is only growing. A most recent UN study concluded that criminal proceeds amounted to 3.6% of global GDP with 2.7%, or USD $1.6 trillion, laundered; while an IMF study stated the aggregate global size of money laundering was somewhere between 2 and 5% of global GDP.

The growing FC problem, market evolution and regulatory changes, strongly supported by the UK Digital Strategy, encourage businesses to embrace innovation and deliver richer and safer customer experience, fostering financial inclusion and preventing financial crime.

Rising regulatory scrutiny in the transformed industry landscape drives a need for a more proactive and holistic GRC approach. Moreover, expectations to use technology and data to achieve effective GRC is growing exponentially; with end to end solutions utilising AI, quickly analysing large volumes and different types of structured and non-structured data and reaching dynamic decisions.


  1. The comfort zone of traditional pyramid thinking

The traditional thinking in the GRC environment starts with defining the process, promptly followed by building teams, utilising existing tools and deploying various technology solutions, all operating in the familiar hierarchy of organisational pyramid structures. In most cases this approach leads to an array of point solutions to achieve individual control objectives, and significant manual operational checks.

The GRC structure is typically tagged onto the firm’s business model and strategy, rather than the business strategy being explicitly designed to maximise effectiveness both of customer experience and risk management (for example with regard to the details of the target client set).

Furthermore, the vast majority of existing solutions in the market are quite fragmented and while they aim to automate processes within established control structures and help achieve incremental efficiency improvement, they still do not offer robust and holistic governance or a sustainable control environment.

The current approach with multiple solutions deployed, often impairs productivity and can impact customer relationships presenting an obstacle to sustainable growth. The already high cost of compliance continues to grow further. Thus organisations struggle to manage as there are:

  • Too many tools and too many point solutions
  • High volumes of data – often inconsistent – that is not being updated dynamically
  • Processes that are not joined up and are only semi-effective in controlling risk

These factors can make it almost impossible to stay on top of the constantly changing customer and supplier risk, and lead to delays in undertaking genuine business activity, often causing negative customer experience.

The cost of compliance continues to grow. Banking and Financial Services spending is estimated in excess of $10Bn and seen as the largest regulatory spend category, with the spending growing 10 –15% over the last 4 years and growth is forecast to continue. An average bank spend in the UK is estimated as £40m to £300m pa on FCC with cost increasing exponentially.

Meanwhile regulators in the UK and globally continue to raise repeated concerns over:

  1. Consistent failure on systems & controls across industry
  2. Lack of and increasing need for stronger governance, better quality risk assessments and greater awareness of potential vulnerabilities of their products, services and distribution channels
  3. Too many SARs that authorities are struggling to deal with in a timely manner


  1. Digital and data is the new reality

Forward-looking businesses are pushing towards a digital and customer centric model, with data and analytics shaping vision and strategy.

Successful organisations are embracing the digital revolution, placing data and technology at the core of enabling organisational strategy and governance, driving informed risk direction from the top rather than accessorising existing processes with some spicy gadgets.

As time is of the essence, machines and data become critical in helping across the governance framework – holistically, proactively and consistently across all layers of risk activities, aligning the framework with growth strategy.

In this new environment, key features of robust enterprise-wide governance and effective risk management include:

  • A unified platform and data architecture for enterprise-wide risk based monitoring, investigation and reporting
  • A focus on data quality, leveraging layering and consistency, ensuring a single customer view and integration of internal and external data, structured and non-structured – into a single place where analytics can be run
  • A flexible and dynamic data model – facilitating integration of new public and private data sources and 3rd party systems; as well as proactive thinking – i.e. discovering hidden patterns of relationships and proactively flagging in real time when a customer’s risk profile changes or is engaging in higher risk transactions or networks
  • Automated analytics to continuously improve proactive alert activity and its accuracy
  • Flexibility to adapt to different markets and regional/ international regulators

Overall, while the individual advanced features of each service are important, the consistency, quality and integration across them is more critical in order to achieve a sustainable system of controls and be able to effectively govern this at the enterprise level.


  1. What does good looks like? – Future GRC to achieve FCC objectives

Traditionally GRC follows the organisational direction through the established structures and operating model. GRC of the future requires a transformation of the traditional thinking.

The core components of a forward looking future GRC function continue to involve framework, talent and tools. Considerations for those however differ significantly in the new environment:

Start with Business Model and Strategy

Business strategy and risk management must be designed and executed in tandem, so as to avoid common issues of customer friction and poor outcomes on either sustainable growth or risk objectives. This means that there is a clear view on the desired target clients, propositions, products and services, and the risks associated with this target set. Both customer journeys and risk capabilities need to then be specific to this strategy, typically enabling significant simplification from trying to cater to all scenarios (for example in client onboarding journeys which are key to both growth and financial crime risk).

Data should then drive everything

Placing data at the core of defining business strategy and enterprise-level risk assessment utilising modern technology can help organisations to achieve more sustainable GRC and efficient operating models.

This data driven approach at the heart of establishing business strategy and aligning with GRC framework creates a better fit for purpose business models and as a result supports more effective capital allocation and funding.

Core systems need to be evaluated as to whether they can enable this holistic data capability, rather than trapping data in functional siloes. This will also enable the organisation to deliver a step change much more widely – as enterprise data capabilities can enable the use the same data for not just financial crime, but also credit risk, marketing, etc.

Different talent is needed

The pace of external changes introduces new requirements and high expectations of flexibility, transferrable skills and dynamic learning abilities. The new-style GRC function needs to attract different calibre teams with skills that are important to the organisation of the future; and foster their professional growth in this new evolving environment playing on their strengths and giving them freedom within the established framework.

Underpinned by tools, processes and operating model  

Objectives of the new tools are to enable robust governance and proactive risk management using a data-driven dynamic approach across various layers of risk activities. Unlike the majority of present point solutions, expectations for new tools not only focus on automation of processes within the existing control structures, but most importantly require implementation of a new concept by driving integration across those structures and consolidation of risk activities.

The tools of the future should be designed to help organisations with their risk-informed strategy and to enable confident risk appetite decisions, thus underpinning sustainable growth and appropriate operating models to support effective implementation of risk policies.

They are expected to facilitate:

  • Consolidation of multiple independent data sources into a single clear view
  • A holistic view of the overall portfolio, risk exposures across the portfolio as well as single customers
  • Implementation of risk policies across portfolio, ensuring consistent control judgement is applied to every customer with the relevant evidence and records keeping
  • Transparent risk strategies, proactively highlighting priority areas and identifying hidden risks and risk triggers
  • Provide instruments for dynamic risk monitoring
  • Spotting trends and drivers of risk changes as well as correlation with products/ portfolio changes over time

Thus new style GRC supports and enables organisations Financial Crime Risk strategic objectives, such as:

  • Understanding risk trends and drivers behind
  • Better quality and on-going Risk Based Approach
  • Greater awareness of potential vulnerabilities of products, services and distribution channels


This article was written for by Advisory Board Member Lana Abdullayeva and Richard Davies, Commercial Banking Director at TSB