The differences between GRC approaches in Europe and the Middle East
The governance, risk and compliance (GRC) industry is constantly evolving, adapting and responding to a plethora of stimulants including economic, governmental and organisational changes. Global economic events such as the 2008 financial crisis were particular markers that changed the way organisations all over the world viewed GRC and financial services. Following this, GRC programmes were reimagined and implemented holistically to reunify and prevent the organisational silos that had formed in the race for maximum growth pre-2008.
The West and the regulatory environment
In the West, governments took to implementing stringent regulations, enforced by regulatory bodies such as the Financial Conduct Authority (FCA) in the UK, the European Systemic Risk Board (ESRB) in Europe and the Securities & Exchange Commission (SEC) in the US to name a few. These bodies seek broadly to enforce regional legislation and issue sanctions to keep organisations in check in the hopes of preventing any future financial disasters.
Now, a decade on from the 2008 financial crash, Europe continues to be a heavily regulated region and faces ongoing regulatory evolution, with new laws such as MiFID II already implemented this year and the General Data Protection Regulation (GDPR) due to be enforced on the 25th May. In addition, the regulatory ramifications following the Brexit vote could see many more changes in the UK to come. However, the approach to GRC adoption within European organisations has shifted from the wide-scale implementation to more ad hoc. GRC initiatives across Europe are becoming specific to one factor, such as the implementation of GDPR, bringing the threat of fixing one GRC ‘leak’ only to see another emerge elsewhere.
Reputation and regulation in the Middle East
Yet, it seems the shoe is on the other foot in other regions, such as the Middle East. While regulatory bodies’ legislations and sanctions have remained fairly low, enterprises have been faced with intense scrutiny from customers and partners in recent years. In today’s age of transparency, the customer view and voice has been magnified by on-demand news and social media, as well as sites such as change.org that demand action from businesses all over the world.
This has been a particular issue for financial market participants in the Middle East, with the global spotlight focusing on anti-money laundering (AML) and terror funding initiatives due to high-profile incidents that have graced global news platforms. Over recent years, multiple court cases have linked financial institutions with money laundering or terror funding investigations and, regardless of their outcomes, they have influenced the West’s decision to invest in financial institutions throughout the Middle East and wider region.
Increasingly, consumers want to buy from businesses that are acting ethically. As a result, banks and other financial institutions in the Middle East feel they’re under higher-levels of pressure than they would face from a regulator or government and are seeking to project a stable and responsible company image outward to the global market. Often this is a decision coming from C-level executives, rather than ‘ like the West ‘ as a response to departmental requirements. Boards and executives in the Middle East have realised that fixing a specific issue due to a point regulatory pressure doesn’t remove the spotlight on them simply because of who and where they are ‘ so they react by looking at enterprise GRC holistically.
Implementing a strong GRC programme and corporate culture
Companies that are looking to bolster GRC processes successfully throughout their organisation need to look at the internal culture and existing systems in place and foster buy-in from employees. This can be done by encouraging three changes in how employees and programmes work and then slowly but surely how they think will follow.
Unify and integrate GRC systems
In order to view the company and risk ecosystem as a whole, firms should unify any siloed GRC operations that may have branched off in separate departments or locations. Following reunification, organisations should implement holistic and integrated GRC processes to standardise compliance management, taxonomy and operations processes across the board. Mapping each regulation to global objectives, business processes, risks, controls and policies will help identify patterns across multiple business units and areas of compliance. Decision makers and board executives will be able to assess risks and compliance requirements across multiple regulations that are affecting the entire organisation.
Monitor internal and external sentiment
Customer sentiment, particularly toward financial services organisations in the Middle East, is constantly changing and affected by global news and events. Organisations can track a variety of intelligence sources ‘ including regulatory agencies, trade associations, industry publications, national publications and social media ‘ to stay informed on current issues and regulatory intelligence. As such, ethical behaviour can lead to increased brand respect in the global market and organisations with self-governance programmes are seen as a safe pair of hands.
In addition, organisations need to monitor employee engagement with new GRC programmes. One of the best practices for this is to push changes from the top-down and the bottom-up. Educating senior employees on how their role helps to achieve the business’ objectives enables ethical management and employees lower down the chain follow. Furthermore, encouraging employees to interact with systems using a recognition scheme facilitates interaction with programmes as well as improvement from a user-level.
Utilising consumerised technology
Technology is changing the game. Today, since information is readily available on-demand users in organisations have low tolerance for out-of-date, slow enterprise software, vital applications are often bypassed and don’t serve their intended function. By turning to consumerised GRC technology, organisations can ensure employees actively, or passively, engage with GRC processes. Automating business programmes will streamline activities, reducing costs of admin and data heavy processes, and free up employee time, boosting productivity, while reducing risk exposure.
Market regulation is undoubtedly vital, however, as seen in the West, overregulation can stifle holistic GRC innovation. As such, soon some of the best benchmarks in corporate GRC may well be found in the Middle East instead of Europe. Despite fewer regulations, Middle Eastern companies are having to self-govern themselves to a higher-standard to attract global investment and their GRC programmes are flourishing as a result.
Regardless of location or industry, culture change within an organisation is hard to achieve and harder to measure. But, if organisations onboard these changes to create a living GRC programme with centralised, technologically advanced systems that are regularly assessed and updated from all ends of the employee chain, they have the best chance at preventing, adapting and anticipating GRC risks in the organisational ecosystem.
By: John Palmiero, SVP of EMEA at MetricStream