According to Michael Rasmussen, VP of risk and compliance research for Forrester Research (Cambridge, Mass.), the industry is moving away from siloed technology to more-holistically integrated solutions. But while banks are relatively mature in their adoption of technology for compliance, he says, they still need to consolidate their existing systems.
Likewise, individual compliance solutions need to be stitched together more seamlessly, concedes Bill Nosal, managing director of compliance products for the wealth management division of SunGard. Instead of mega applications, banks need components and smaller applications that they can build upon, he asserts, noting that this kind of framework relies upon a common services architecture where components can be aggregated to provide functional compliance applications.
"All banks are asking for a broader integrated solution," Nosal says. The umbrella term for these solutions, he notes, is GRC, which stands for governance, risk and compliance.
A GRC software platform needs to be sustainable, consistent and efficient, Forrester's Rasmussen adds. He says that every individual at the bank, from top executives down to temp workers, needs access to the system for it to be successful. The four technology areas that go into a GRC software platform are policies/controls, assessment, analytics and loss/investigations, he explains.
The GRC software platform market has grown from $85 million in 2002 to $590 million in 2006, and is projected to reach $1.3 billion by 2011, according to Forrester. Some of the leading vendors in the financial services GRC software space include Algorithmics (Toronto), Oracle (Redwood Shores, Calif.), SAP (Newtown Square, Pa.), i-flex (Mumbai), SAS (Cary, N.C.) and SunGard (Wayne, Pa).
In January, Edison, N.J.-based Reveleus, a business of i-flex solutions, released the Reveleus Governance, Risk and Compliance framework. Reveleus says that the solution solves two challenges faced by financial institutions worldwide when it comes to risk and compliance: the hidden costs of multiple systems and the duplicative processes that hinder a bank's ability to holistically manage the impact of risk and compliance events.
Reveleus' GRC framework was built to solve past and future compliance problems by allowing institutions to mix and match their existing technologies, says S. Ramakrishnan, CEO of Reveleus and Mantas, which also is an i-flex business. He notes that the framework relies on an analytical infrastructure and surveillance technologies.
But an enterprisewide approach to compliance is not right for every bank, according to Guillermo Kopp, executive director and global research fellow for TowerGroup (Needham, Mass.). Rather, non-Tier 1 banks can look to business process optimization for compliance relief, he says.
The first step is identifying opportunities for consolidation and synergy, Kopp relates. A year ago, nobody knew how much they were spending across the enterprise on risk and compliance. "Today we know the answer and we know that it's too much," he says. "The industry is spending $330 billion on risk management and compliance annually, and almost 80 percent is administrative expense."
To cut those expenses, a bank's CIO or CFO should look for opportunities for synergy among systems, Kopp relates. Instead of having two solutions for Sarbanes-Oxley in different business units, for example, the bank should look for a solution that would work across business lines, he says.
San Francisco-based Union Bank of California is among the banks looking for ways to streamline technology to ensure that the bank is not duplicating efforts and spending needless time and money on compliance, according to Ron Hoffer, VP and senior IT audit manager for UBOC ($51.3 billion in assets). "We have a very favorable view of technology in general and how it can go about solving business needs," he explains. "We have increasingly looked for prepackaged vendor solutions as a way to leverage the processes we already have at the bank and come up with cost-effective ways to deal with new regulations that have been put in place," Hoffer adds.
"We would rather acquire software packages that have the support of the industry as opposed to building it from within," Hoffer continues. "It's a better model for us. Simply put, we know what we are good at, and we are not a software company."