Excerpts from the panel discussion in the GRC Red Flag Series episode on September 15th, 2022, featuring Michael Rasmussen, GRC Pundit, GRC 20/20, Anja Ugedahl, Head of Business Performance Management-Sparebank 1 Nord-Norge, and Owe Lie-Bjelland, Director of GPRC Program, Corporater.
Michael: What do you think are the challenges that Sparebank 1 Nord-Norge (SNN) is facing from a business perspective?
Anja: We, as well as many other financial firms in Norway, have seen many years of great performance. Albeit this is not necessarily automatic for the years to come, and we are starting to ask ourselves what we would do in a time of lower financial results both for us and our subsidiaries. Now we are at a stage with high inflation and rising interest rates. What does this imply for customers? When it comes to us as a bank, we are located in the north, so a lot of our exports are related to fish oil, etc. What does that mean in the long term with everything going on at the moment? We currently have a very challenging geopolitical situation with a lot of tension across different countries as we’re located close to the Russian border. So, there are quite a lot of things moving in that area as well.
Michael: Too often, there’s this disconnect between GRC (Governance, Risk, and Compliance) and Performance Management but they belong in context together. How have you corrected this perspective and brought Performance Management into the Governance, Risk, and Compliance framework, particularly the risk and compliance context in the organization?
Anja: When we started, we were heavy on the Performance Management side of things. Currently, we’re collaborating with Corporater on the Performance Management module, but we’re also developing GRC modules. We tend to look at ‘GPRC’ as ‘PGRC’, whereby the user defined in the performance module in our bank is basically the ‘G’ whose roles and responsibilities are related to that user in order to understand the full mandate of that user. It’s both on the performance side (‘P’) as well as on the risk and compliance (or) control side (GRC). We have started talking about performance not just as something that you’re able to deliver based on the business area or specialization within the group, but as a continuous balance between what you’re able to deliver (results) and the quality. We are not completely there yet, but we’re still working on bridging the two sides and making it into one common methodology within the group.
Michael: Owe, you know this disconnect between GRC and Performance Management, and how Anja with SNN has approached this. Have you seen others approach it in the same way? Any other things you can glean from your other customers on how to bridge this gap and bring performance into GRC?
Owe: Anja’s approach is to focus on the ‘P’ first, and then bring in GRC and its quality aspects. We also see the other way around when they try to focus on the GRC areas first, and then they have this extended project of aligning them with performance down the road. So, any route is applicable. It’s basically up to the businesses to focus on what’s important to them. The GRC definition is so versatile that it allows you to focus on the challenges that you have so that you start to get your ducks in a row with the ones that are most important to you, and you can add more ducks down the road.
Anja: I agree with Owe’s comment on how we can start from either end — the GRC side or start with Performance Management, building on components. One of the things that we experienced at SNN was that when you prepare for a common way of working across measuring performance or defining performance, it’s easier to start with the business metrics, and then build on the risk and compliance side.
Owe: Another example from my side is that we have customers that start with just a tiny part of GRC, maybe a compliance program, or information security. So, when we provide advice to them to have some sort of alignment with the business aspect of what is important for the organization to perform, they even align their information security program with some high-level performance objectives so that it is not disconnected. That means, you can connect everything in this holistic framework as you go. You can start small, and then you can grow big. Michael, you were asking about this gap we mentioned earlier, lagging indicators versus leading indicators, and how to connect them. It is actually at the core of how we align performance in GRC.
Anja: For example, when we do our Performance Management cycle, we always start with setting goals and planning. That’s all based on the key performance indicators and getting that set up correctly each year. Now that we’ve started to test it with risk indicators, we hope to be able to see the two sides of the same equation. For instance, how many new loans should we subscribe to during the year? If we only chase that goal, we might again lose the balance between the risk and the performance. So once we set up the credit risk, we set up risk indicators regarding the market, customer default levels, etc. We can even adjust the performance numbers if it looks like the quality is getting a little bit uncertain or vice versa.
Now that we’ve started to test it with risk indicators, we can see the two sides to the same question.
Michael: We sometimes put the cart before the horse. Similarly, GRC is also called ‘CRG’ because too often that’s how organizations approach it. They approach it first from a compliance point of view, then they might add on risk, and too often risk management is a compliance exercise and not true risk management. If they might never get to governance, what advice do you have for companies to correct this and flip this around so it’s a flow from the G to the R to the C?
Anja: From my perspective, after working with a GRC program, it’s almost as though you need to think about a GRC program or implementing GRC as a new product development or creating a new IT system for a customer. So, what I recommend is that before you start anything start thinking about the vision of where you want to go with GRC or GPRC to get holistic Performance Management. And, around that time, you’ll also get a sense of what kind of cultural components you want to build in the long run because that is linked to the value and vision part. The next question would be who are the users of this GRC or GPRC solution? What are the risks to be managed? What types of compliance issues are there potentially, in different areas? What types of controls are important to build for and, last but not least, what types of performance data indicators are relevant for the various groups? Take one step back and think about the vision and the value.
Owe: It seems to me that you have a very strong focus on the people in the lines, down in the first line, and as with many customers, we see a reporting focus usually focused on the top management or the board. Can you speak a bit about how important that is to SNN?
Anja: Before we even started working with Performance Management (the first part of GPRC), we started developing this model called the SNN model for implementing Performance Management in the group. We’ve built this model as an implementation framework for the new way of working, and in this model, there are three layers. The first outermost layer is the methods that we’re using – common steering principles, common steering processes, and common steering information. Then, we have the middle layer, which is the digitalization of the Performance Management or GRC components, which for us is the Corporater system, our IT tool. Finally, the innermost layer of this model is the user. For every KRI, KCI, or KPI, depending on where you are on the whole four-letter definition, it should always be tailored to the role and responsibility of the user in the middle. We have developed it in such a way that each respective user group, depending on roles and responsibilities, has access to what their focus should be, actions they’re initiating based on the focus, and also what kind of insights the KPIs, KRIs, and KCIs are driving. It’s user-centric, but it also makes it quite complex.
You need to think about a GRC program or implementing GRC, as a new product development or creating a new IT system for a customer.
Michael: How do organizations develop and cultivate the ABC of integrating governance, performance, risk, and compliance (GPRC)?
Anja: The ABC (Attitude, Behaviour, and Culture) model enables me to break down culture from a conceptual point of view, and try to see how that fits in with how I see Performance Management including GRC. When it comes to behavior, we can facilitate an IT system. If we have good user stories linked to what type of insight each user needs, we can determine what type of behavior they should initiate. Based on that insight, we can use an IT system to generate a certain type of behavior, meaning a bit of a cultural aspect there. When it comes to attitude, I’ll go back to one of my previous answers regarding how you go around starting with GPRC or PGRC. I believe creating that vision and defining that value will somehow, or should at least, have a cultural aspect embedded in it. So, what type of attitude is it that you want to foster with your Business Performance Management system? Is it only Performance Management, or across Performance Management and GRC?
Owe: We have to start with the tone from the top. It is an extremely important fact that when the top management acquires a system to get GRC right, it is a very good signal for user adoption. All in all, technology could drive culture to govern the program in the organization, and if done correctly, we can achieve the benefits of cultivating a culture of integrated GRC into performance.
For example, if the user gets an indication or a notion of how this data is used up in the chain and how this will drive performance, then it can do something about the attitude instead of just being a reporting tool that is isolated from the performance world.
Michael: What is the role of technology in bringing performance and GRC together in a financial services organization?
Anja: Technology provides numerous ways of handling data across the organization. We’re able to generate different dashboards from a user perspective based on roles and responsibilities. We’re able to go up in the organizational hierarchy to see aggregated data to help us to follow a kind of red thread from strategy, whether it’s on the business side, or on the risk side, and to see how it flows not only downwards but also upwards depending on where in the organization the user is sitting. So, if you do something 90% of the time in one way and 10% of the time in another way, a technology tool will not necessarily allow for those differences to change how you’re executing and viewing things. So, you’re creating a much stronger and solid foundation in how the business should be operating, whether it’s relating to performance or risk and compliance.
Owe: The financial services industry has some guidelines recorded in BCBS 239; it’s about prudent risk management, and although those guidelines are focused on credit risk, the principles of BCBS 239 are valuable for the non-financial risk domain as well. And basically, the 14 principles outline how we should achieve principled performance in financial services. It is aimed at globally and domestically systemically important banks, but also local, smaller banks can benefit from the principles. Look at BCBS 239 to help you model your prudent risk management to achieve performance in financial services.
Click here to watch the replay of this episode.