Sifting Through the Regulatory Noise for Better GRC Management

With the New Year firmly in the rearview mirror, banks and credit unions are getting back to business and focusing on priorities and challenges for the remainder of the year. One of these challenges is the need to cut through the regulatory noise. Julia O’Connell, Quantivate’s senior vice president of product management, offers some insights on the regulatory environment and compliance risk management in the following interview.

Financial services organizations are bombarded with messages from regulators about what they need to pay attention to. How can they sift through the noise to get to what really matters to their institution in 2023? How should they evaluate the messages they are receiving?

Julia: The constant barrage of regulatory changes and focal points coming from financial regulators makes it hard to know what pertains to your institution and what’s important. But it can’t all be high risk. To sift through the noise, compliance teams should ingest published regulatory information into the institution’s compliance management process and perform a risk assessment as soon as possible, even if the changes required are in the distant future.

It’s important to at least acknowledge any risks that exist, knowing they will get risk-rated later and could present very low or even no risk. Then schedule a discussion with business line managers to determine if any of the risks should be completely removed from the risk assessment—for example, a risk pertaining to a line of business the institution doesn’t engage in as it would truly carry no risk and could be removed. Also, ensure you’ve documented the discussion.

Are you saying it’s better to get the risks onto the risk assessment right away, and then remove them in a documented manner, rather than make a mental note to add them later and ultimately forget?

Julia: Yes, that’s what I was suggesting. This proactive approach documents that you understand the regulator’s perspective and have responded to it promptly. It also gets conversations underway with business line managers while the information is fresh. There’s no need to conduct an ad-hoc risk assessment out of cycle simply because regulatory perspectives were published, but it’s an opportunity to at least discuss the content and start to determine what really matters. It’s a great way to avoid being overwhelmed when risk assessments are due. This does not apply to finalized regulatory guidance, however, and those should go through a risk assessment as the changes are published.

That makes sense. Do you have any caveats about this approach?

Julia:  It’s important not to succumb to the pendulum effect. The pendulum effect occurs when what’s important to the institution changes with each publication by regulators. This happens when managers are mostly reactive, instead of proactive. It’s okay to have small shifts in your understanding of what’s important, and what presents a risk, but there shouldn’t be major swings every time the regulators publish their perspectives.

Any other helpful insights about managing compliance risk?

Julia:  A reminder to financial services organizations that the risk assessment process should be based on a standardized procedure that involves quantitative as well as qualitative measures. A GRC management platform can help capture regulatory changes and prioritize your responses to those changes, systematize risk identification and assessment, and offer a single-lens approach to managing risk and compliance.