May 2023 | Report

Prioritizing Governance, Risk, and Compliance to Build a Lasting Impact in Banking

Without a clear vision, banks will miss the opportunity to grow and win

Prioritizing Governance, Risk, and Compliance to Build a Lasting Impact in Banking

The banking industry is experiencing systemic change from all sides—volatile markets, increasing dependence and influence of technology, and both shifting consumer and corporate banking demands—and it feels like any moment there could be another shoe that drops. 

There’s also heightened awareness and scrutiny around risk and whether organizations are equipped to protect their systems and customers. To see the impact of this intersection of technology and risk management on risk governance in banking, West Monroe conducted a survey of 200 bank executives to gauge strengths, obstacles, and ongoing challenges.  

The results from Q1 2023 showed common pain points and highlighted areas of improvement in having a truly nimble, digital operating model that mitigates and resolves risks leveraging the right controls by having the right people, processes, and technologies in place.  

Challenges from legacy systems are just one piece of the puzzle. Only 53% of respondents feel that their program management is strategic and nimble enough to adopt risk-related improvements, leaving room for many to differentiate and add value through technology risk management as it becomes table stakes for banks.  

The survey showed that navigating a world where banking and technology are increasingly interdependent is difficult when there are legacy systems in place that may not be able to hold up against today’s challenges and regulatory shifts. The survey’s findings confirm the belief that banks need to continuously improve their technology to avoid lagging behind competitors. 

Only one-in-three banks are widely using proactive measures and best-in-class tools to manage risk, highlighting an increasing need to shift away from a reactive approach.  

It’s no secret that banks need to shift how they address technology security, compliance, and risk management: 92% of respondents said their organization places a high priority on enhancing this, noting it’s a frequent topic of conversation during C-suite and board-level discussions. But companies are slower to act than they should be—which ultimately hampers streamlining efforts. Teams are left addressing issues and framework gaps, unable to focus on the priorities that will help achieve desired business outcomes and reduce costs. Further, banks with $50-200 billion and $200 billion-1 trillion in assets are still finding their stride in implementing automation and best-in class tools to manage risk, whereas large organizations ($1 trillion+) are widely using these in day-to-day operations. 
The top roadblock to getting new products to market is control applicability and rationalization to adhere to security and compliance, with 60% of respondents finding this their greatest hurdle. 

Banks identified that they all also face at least one of the following challenges:  

  • Teams do not cross collaborate well to quickly make decisions and approve changes 
  • We struggle to understand and identify the applicability of controls 
  • Control environment cannot be clearly defined 

This is echoed when respondents identified their greatest opportunities for improvement within risk management functions: enhanced design, implementation, and oversight of security, compliance, and risk management controls. 

When it comes to roadblocks to implementation, there was a clear differentiator among mid-size banks ($200 billion to $1 trillion): 90% of respondents in this category indicated their top roadblock was not having the right controls in place to achieve their desired speed to market for updates, implementations, and/or new products. This is much higher than the 64% of smaller banks ($50-200 billion) and 50% of larger banks ($1 trillion+). Instead, the top roadblock for larger banks was a lack of in-house expertise to quickly address security, compliance, and risk concerns surrounding a speedier go-to-market pace. 

Survey respondents indicated that failure of controls and regulatory change are the two areas that would have the largest potential impact on their organizations. 

Deployment of new technologies (like migration to public cloud) was a top response when respondents were asked to identify what may have the greatest impact on their organizations. But the inherent concern around controls preventing forward progress shows a clear value proposition for bolstering infrastructure and processes. 

Nearly half of respondents (48%) felt effective design and implementation controls, along with better embedding of security personnel into product teams and development processes, would have the biggest impact on their organization’s technology risk management functions. This continues to show the role a flexible operating model can play in navigating risk through optimized teams.  

On the path toward balancing opportunities and strengths, banks must lean into existing capabilities and identify areas to build up. Addressing gaps in capabilities is critical for maintaining differentiation, working toward a proactive risk management posture, and ultimately mitigating risk.  

Additional survey findings include the following: 

  • One-third of respondents felt greater overall visibility and identification of security issues would be the most important anticipated benefit from improvements to technology risk management programs. 
  • The top two technology areas organizations are prioritizing include big data/data warehousing (57%) and cloud adoption and/or migration (53%). 
  • Just under three-quarters of respondents (74%) said it takes between 4 to 12 weeks to remediate a finding for closure sign-off. This is both a broad range that can make it difficult to plan around and also increases time spent pausing other initiatives that could be saved on the upfront. This also incurs additional costs related to resources constantly context shifting between initiatives.   
  • Large and smaller banks view regulatory compliance as their biggest challenge related to technology security, compliance, and risk management—while mid-sized banks are more concerned about information, cybersecurity, vendor, and third-party risk above any other challenge. 

The role of having an embedded, aligned team to create value  

Just 31% of respondents said their security, compliance, and risk management team is embedded in the development process and works directly with product teams to design with security in mind. By not bringing them into the picture until later in the process, banks risk limiting their effectiveness and perpetuating issues getting the right controls and frameworks in place. 

This also creates a conflict between teams, duplicating work between groups that are likely balancing different priorities and incentives. Building an embedded internal team plays a huge role in alleviating these concerns, as constrained development of solutions largely hinges on lack of stakeholder alignment and lack of consensus on issues and solutions (according to 44% of respondents).  

With just 8% of banks who said budget availability is a constraint for investing in enhancements to the risk and controls program, the vast majority (92%) are navigating a people-and-operating model challenge at their core. This all ladders up to the challenge of competing organizational priorities and initiatives (identified by 63% of respondents). Having the right people in place at the right time to showcase value and create buy-in can prevent the 4-to-8-week derailment half of companies are experiencing to close out an issue. Control framework management and rationalization may feel like basic parts of this, but they’re critical to business continuity and being able to support other value-creating initiatives across the organization. 

The bottom line 

Banks need to bridge the gap between effective controls, having the right knowledge embedded in the right places, and developing sustainable compliance frameworks. These steps will be necessary in order to reduce time spent on resolving issues, streamlining processes, and implementing a proactive risk management approach without sacrificing go-to-market speed and revenue returns. 

Explore our latest perspectives