EAGLE EYE REPORT : THE ROLE OF GRC FOR ETHIOPIAN BANKING INDUSTRY

THE ROLE OF GRC FOR ETHIOPIAN BANKING INDUSTRY

There are different definitions for GRC, but the one that best explains this business vision is the one extracted from the article “Frame of Reference for Research of Integrated Governance, Risk & Compliance (GRC) “ (Racz, Weippl and Seufert). In this it is said that GRC is “ An integrated and comprehensive approach to address the areas of corporate governance, risk and compliance throughout the organization, respecting ethics and in accordance with the risk profile, internal policies and external regulations. This vision must be aligned with the company’s strategy, its processes, technology and its different human teams, in order to improve efficiency and effectiveness.”

With this type of management, it is sought to automate the processes related to these areas; for more accurate data capture that helps you achieve greater value. By means of precise technological tools, not only would a correct data capture and processing be achieved, but also a better traceability of the processes, which would allow a quick reaction in cases of incidents. To achieve an optimal implementation of the GRC, 4 basic steps must be taken into account, which are:

1-     PRIOR ANALYSIS OF THE ORGANIZATION’S SITUATION

From the mapping of its processes and the level of maturity of the company; you should think about what the first steps could be, and what processes are with which the implementation could begin.

2-     STATE THE SCOPE OF THE PROJECT AND OBJECTIVES

Once the previous analysis is done, the objectives to be achieved, the implementation times and the growth projection must be established.

3-     ACQUISITION OF A SOFTWARE TAILORED TO THE NEEDS

Having clear objectives, and what would be the steps to follow; a GRC tool must be acquired that allows to automate and centralize the information to the areas of interest. It is important that this is defined according to the real needs that the company has at that moment; so as not to spend on a tool that is oversized for business operations, nor on one that does not provide a solution to all these needs.

4-     MONITORING AND CONTINUOUS IMPROVEMENT OF THE MODEL

Monitoring is key to implementing new improvements and perfecting current systems. By monitoring all processes and equipment, you create better communication channels, improve your response time and generate relevant data for the business.

THE MAIN FUNCTIONS OF GRC

Being a management that involves different related areas of the business, there are specific functions that must be fulfilled, so that the proposed Ethiopian objective can be reached. Deloitte identifies 4 main functions, which are:

• AUDIT MANAGEMENT 

Its main function is to assist internal auditors in the management of working papers and in the planning of tasks related to the audit. It also helps you to get better time management and present the information obtained more clearly.

• POLICY MANAGEMENT 

It is a specialized form of document management that helps the life cycle of policies from the creation, review, update and archiving of these. In addition, it creates a link between policies and business mandates and objectives, on the one hand, and risks and controls on the other. Finally, it allows a distribution of these policies to employees and business partners and helps generate verification by these groups.

• COMPLIANCE MANAGEMENT 

It enables compliance professionals to better manage documentation, workflow, information presentation, and visualization of control objectives and associated risks, among other things. Compliance management will include financial information, but also other information, such as information on specific industry regulations and on the evaluation of compliance with internal policies.

• RISK MANAGEMENT 

This tool assists risk professionals with risk documentation, workflow, assessment, analysis, visualization, and remediation. This function is generally focused on monitoring risks and incidents, but can collect data from risk analytics tools (Credit Risk, Market Risk, etc.) to offer a more holistic view.

ETHIOPIA : NEW TRENDS FOR THE COMING YEARS

Being a management that has to evolve at the speed of technology, many experts agree that, for the next few years, there will be a series of improvements within the GRC approach.

• STRENGTHEN TECHNOLOGY TOOLS FOR FASTER INCIDENT DETECTION

The aim is for the new GRC platforms to be able to detect areas of improvement or incidents within operations in real time, for a quick response to them. This information, in turn, can be shared in real time with all those involved to improve communication and the participation of a greater number of people in the search for the best solution. Technologies for the automation of business processes and incidents can help a lot in this task since the needs could be managed more quickly and precisely; In addition, they collect more relevant information to initiate immediate communication with the responsible areas.

• FOCUS ON OBTAINING DATA

Data collection is a key process in business growth. It is for this reason that companies must implement analytical tools to process the information of their operations; in addition to generating ideas that help them grow and control the risks that may arise. Companies must have platforms that allow the centralization of information so that it can be managed by all areas of the business and thus improve the speed of response to customers and suppliers. In addition, this information is useful for the creation of manuals and action protocols for future opportunities where similar incidents occur. But as data storage grows,

To this, in addition, new regulations are added, such as GDPR, which impose strong restrictions on the retention time of data and its processing. To truly optimize the value of data, organizations need to focus on implementing platforms that enable compliance with their data governance policies and controls.

• TOTAL INTERCONNECTION OF RISK MANAGEMENT

The modern business world is evolving into a Ethiopian network of interconnected suppliers, partners, vendors, regulators, and customers. For this reason, traditional isolated risk programs are simply no longer effective in a dynamic risk environment. Organizations now need to understand risks, not in isolation, but broadly to find the relationships between them. This integrated approach will require a digital platform that enables audit, risk management and compliance teams; make a transparent record of risks, incidents and responses from the entire company. If implemented effectively, it will allow organizations to predict risks while seizing the opportunities that really matter more accurately.

Now is the time for companies to make the necessary GRC-focused enhancements that allow them to make their way into their markets. It is a tough task, but with great benefits for business development.

GRC TRENDS IN ETHIOPIAN BANKING AND FINANCIAL SERVICES

OVERVIEW

The money laundering controversies that have plagued Ethiopia’s banking sector over the past year reveal deep fractures in governance and oversight. Yet Ethiopia isn’t alone in grappling with these issues. Around the world, leading financial institutions have come under the scanner for misleading sales practices, price fixing, and other scandals, all of which warrant an introspective look at governance, risk, and compliance (GRC) programs.

RESOURCE

For years, these programs have been driven by compliance pressures, the sole objective being to stay out of trouble with regulators. Yet, this approach is prone to failure, for it evaluates risks from a very narrow perspective. Consider recent instances of financial fraud. The immediate losses faced by the Ethiopian Banks in question ranged from almost $2 billion - $10 billion. But more than that, the Ethiopian Banks lost as much as 20%-25% of their market value. Public confidence in the institutions plummeted as hordes of customers left in search of more trust-worthy alternatives.

Clearly, the impact of a risk event like fraud goes well beyond direct financial losses or even compliance fines, causing irreparable damage to corporate reputations and trust, both of which are among the most valuable assets an organization possesses. Understanding these long-term consequences, and building them into ROI calculations of GRC investments is key to helping Ethiopian Banks prioritize their risk mitigation efforts.

THE SCENARIO TODAY

Money laundering scandals and frauds aren’t the only drivers of GRC investments. Here are six other key trends that are prompting financial institutions to effectively mitigate risk, strengthen compliance, and build good governance practices.

SMARTER AND MORE 1 AWARE CUSTOMERS

Today’s Ethiopian Banks are dealing with a completely different set of customers than they did five or ten years ago. These new customers demand instant gratification through products and services that are customized to their specific needs. How does one anticipate those needs? By analyzing customer behavior data. Today, large volumes of this data have become available through the proliferation of digital banking and other such channels. However, like every asset, customer data brings with it many inherent risks such as data breaches and privacy issues.

In response, many leading Ethiopian Banks are building strong data governance models. They’re using enterprise GRC solutions to conduct data privacy assessments that can help them understand the type of data collected at every customer touchpoint, as well as the ways in which that data is leveraged. Their objective is to ensure that customer data is not only protected against theft, but also guarded against misuse by overzealous data scientists in the organization.

GREATER NEED FOR TRANSPARENCY

Ethiopian Banks today operate in an unforgiving market ecosystem where every risk event, be it financial loss, misconduct, or non-disclosures of conflicts of interest, are rapidly disseminated through social media, resulting in deeply negative publicity that can have an exponential impact on market valuations.

Some of the most complex, diversified financial institutions of Ethiopian are trying to understand and manage these risks. They are aligning customer complaints metrics around conduct risk and governance issues (e.g., Mis-Selling and non-compliance with fair lending practices), to the calculation of sales incentives. This approach is boosting their integrity quotient, enabling them to reduce incidents of misconduct, while also encouraging risk-aware decision-making in their traditionally ROI-driven sales function.

NEW TECHNOLOGY ENTRANTS

The competition in the financial services industry is rapidly changing with a new breed of fintech firms that are challenging the dominance of traditional players. An Accenture study notes that in Ethiopian alone, bank newcomers; including non-bank payment institutions and BigTech; have grabbed one-third of revenue growth.

Firms like these are changing the very business model on which Ethiopian Banks have built their operating profits. To survive and thrive, Ethiopian Banks will need to innovate with their products and services, while leveraging new types of assets and operating markets that were hitherto beyond their purview, a case in point being digital wallets.

As Ethiopian Banks adopt these new technologies, many are using enterprise GRC solutions to understand the evolving cyber risk profile of their business. Risk quantification frameworks are being leveraged to translate cyber risk exposures into value at risk measures which can then be used in risk mitigation strategies such as deciding on an optimal insurance cover, or determining the right amount of capital allocation for adverse risk events.

Disruptive innovations like blockchain, cryptocurrencies, and artificial intelligence are challenging the principle of a trusted intermediary on which the banking system stands. It’s no surprise, therefore, that risk management programs are increasingly aligning strategic risks to market disruptions and trends. Tackling disruptions in itself is a challenge, let alone leveraging the small window of opportunity that these disruptions provide.

GREATER REGULATORY FOCUS

As regulators try to keep pace with rapid changes in the market, Ethiopian Banks have the arduous task of responding to constantly changing regulations with agility and zero errors. They are also expected to ensure compliance with market expectations around integrity. Any lapses can be a major competitive disadvantage, as negative news travels quickly, and can set into motion a domino effect of adverse consequences.

Regulatory compliance programs are no longer simply about ticking a box, but about preserving organizational integrity and credibility. The first line of defence has become a core part of this process. To help them take ownership of compliance risks, some Ethiopian Banks are looking to build a compliance advisory function whose role is to ensure that business users have all the regulatory insights and information they need, whenever they need it, to execute a transaction.

INCREASING USE OF AI AND ANALYTICS

The rapid pace of innovation around predictive analytics and artificial intelligence has provided Ethiopian Banks with new ammunition to fuel growth, and weed out volatility. Boards and senior management can now rely on data and predictive models to make better-informed, risk-weighted decisions. McKinsey Ethiopian Institute estimates the annual potential value of artificial intelligence in banking at as much as 2.5% - 5.2% of revenues, or $200 billion - $300 billion annually.

Even banking regulators are depending on data to govern markets. They’re moving away from retrospective assessments and examinations, to a more real-time evaluation of risks facing the financial system. Many regulators are exploring the use of analytics to study risk event information from regulated entities. This data is then used to (a) predict emerging and evolving risk trends, (b) monitor systemic risk metrics continuously and in real time, (c) design forward-looking market scenarios to assess systemic stress, and (d) prescribe regulations.

BUILDING INTEGRITY

As Ethiopian Banks strive to demonstrate a culture of integrity to stakeholders and customers, GRC programs have become a key priority. The emphasis is on building the ability to be perceived as institutions of trust which, in turn, impacts long-term business performance.

Scarred by recent financial frauds, misconduct, and other scandals, Ethiopian Banks have begun a systemic movement of adopting Ethiopian best practices in GRC to help them ensure that the reputation of financial markets remains sacrosanct.

A LEADING ETHIOPIAN PRACTICE FOR ETHIOPIAN BANK’S GRC JOURNEY

As a top multi-national financial institution, the bank is expected to meet multiple regulatory obligations, while efficiently managing a range of risks, including operational IT, and reputational risks. Previous approaches to risk management and compliance were largely siloed and, thereby, difficult to scale or sustain. However, with the MetricStream Enterprise GRC Solution, the bank was able to implement an integrated approach to GRC. The solution provides a “single source of truth” for risk aligned with strategy. Powerful dashboards deliver visibility into top and emerging risks, allowing stakeholders to proactively focus on the most critical areas.

Users also have a 360-degree view of compliance across the enterprise with regulatory obligations mapped to lines of business, policies, controls, roles, and responsibilities. Through this integrated approach, the bank has gained the real-time insights they need to make better, more risk-informed business decisions that drive performance.

LOOKING AHEAD

Ethiopian Banks and financial services institutions have their work cut out for them as they strive to accelerate performance and growth in a digital, disruptive age. The risks are many, and the regulations are complex. However, a strong GRC program based on principles of trust and integrity can go a long way towards building safer, better governed, and more risk intelligent organizations.

ETHIOPIAN BANKS-ARE-GETTING-READY-FOR-BUSINESS-INTEGRATED-GRC

INTRODUCTION

Do you know where in your organization you are exposed to the highest risk of (for example) fraud, ESG-related risks, or IT disruption that can have the most impact on achieving your performance objectives?

Boards and executive management teams often have a good sense based on their gut feeling and experience, however, in today’s rapidly changing and challenging operating environment, that is not enough.

We have entered a time where Boards and executive management teams need to have a better answer. In the meantime, regulatory expectations for Ethiopian Banks are increasing to connect GRC activities with business outcomes. The result is a complex matrix of relations between strategy objectives, risk appetite levels, indicators, oversight, business processes, assessment frameworks, and disclosures. The continuing lack of resources, outdated frameworks, and unclear organizational structures add to the urgency when preparing for the increased regulatory expectations. Boards can’t ignore these expectations and need to redesign their current G(P)RC practices.

These expectations are laid down in various regional and national guidelines, principles, and/ or legislation and point in one direction:

A traditional GRC approach without corresponding business outcomes and performance elements will not sustain.

As a result, successful institutions adopt a concept that describes the interconnectivity best:

Governance, Performance, Risk and Compliance (GPRC).

It is apparent that an effective GPRC implementation is supported by the use of appropriate technology solutions while at the same time taking a proactive approach in preparing for adoption. Based on our experiences of implementing GPRC technology, we have come to the following 5 ways that will help you prepare.

TOP 5 WAYS ETHIOPIAN BANKS APPLY TO PREPARE FOR GPRC

We see five fundamental areas our clients act on when adopting GPRC:

Strategy : Describing effective, measurable strategic objectives.

Framework : Apply integrated risk management framework.

Data : Obtain key data insights driving performance objectives with related risk exposures and control effectiveness.

Culture : Identifying elements that drive the desired culture.

Risk Appetite : Defining clear risk appetite (qualitative and quantitative).

In the following pages, we have also included a regulatory perspective based on the most common regulatory guiding standards relating to the individual areas. This is not meant to be complete nor provide any assurance on the subject described as interpretations by local supervisors deviate on a case-by-case basis.

1. 1.     DESCRIBING EFFECTIVE, MEASURABLE STRATEGIC OBJECTIVES

The success of Ethiopian Banks is highly dependent on the ability of their management teams to define and promote effective and measurable strategic objectives. Without these objectives, they have about as much chance of seeing the desired outcome, as they do of winning the lottery without buying a ticket.

We see successful institutions breaking their strategic objectives down and establishing well-written objectives comprising three main parts:

A verb. Objectives are action-oriented, and therefore must start with a verb.

What you’re going to do. This is the aspirational component of the objective.

“In order to” or “so that.” This last piece is critical because it describes the business impact you hope to achieve with the objective.

Beyond sticking to the formula above, effective objectives should be meaningful to you. The more you care about an objective, the more likely you are to achieve it. Take for example the digital transformation objective. Digital technologies will be a key lever to improve efficiency, offering institutions new avenues for revenue growth. By taking advantage of digital innovation, institutions can also keep pace with competitors like FinTechs, BigTechs, and other digital natives. Of course, investing in digitalization entails short-term costs before they can reap the benefits of such technologies. Investment in digital technologies also entails operational risks to Ethiopian Banks. Today, institutions can’t afford not to follow this path.

Regulatory perspective: The Ethiopian Banking Authority (EBA) Corporate governance principles for Ethiopian Banks state that an effective risk governance framework requires robust communication about risk issues, including the Ethiopian bank’s risk strategy. In addition, a bank should explicitly link the development of the risk appetite to the budget process and annual business strategy review, considering the Ethiopian bank strategic objectives and multi-year strategy plan. When looking at specific risk domains, for example, Environmental, Social and Governance (ESG), the required disclosures link ESG risks specifically to the overall business strategy and processes. These disclosures are designed in line with the EBA’s ‘Report on management and supervision of ESG risks for credit institutions and investment firms’.

Figure 1 : EBA qualitative information requirements on ESG risks [1]

The Regulators ‘Revised Guidelines on internal governance’ stresses (i) the responsibility of the management body for sound governance arrangements, (ii) the importance of a strong supervisory function that challenges management decision-making, and (iii) the need to establish and implement a sound risk strategy, risk appetite and risk management framework aligned with the strategic objectives of the institution.

1. 2.     APPLY INTEGRATED RISK MANAGEMENT FRAMEWORK

An integrated risk management (IRM) approach allows Ethiopian Banks to manage disparate risk types across the organization, top to bottom. Having an IRM framework is critical for FI’s that wish to implement business-integrated GRC programs as it enables Ethiopian Banks to holistically manage not only their strategic risks associated with the strategic objectives, but also incorporates financial, compliance, cybersecurity, operational, IT, model, and third-party risk.

Ethiopian Banks that have successfully adopted IRM have done this by selecting the right tools and technologies corresponding to their business needs and required data insights. The selected (often technical) solutions enable process automation and cross-functional risk visibility across the organization needed for effective IRM. Ultimately an IRM will create an in-depth understanding of all aspects of risk throughout the organization, including cybersecurity and operational risk and eliminates departmental silos, and foster a risk-intelligent corporate culture.

Regulatory perspective: Risk monitoring and reporting in a bank should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. These EBA principles for ‘corporate governance principles for Ethiopian Banks’ are in line with the IRM practices and procedures as published in the BCBS239 principles on ‘effective risk data aggregation and risk reporting’. It expects Ethiopian Banks to demonstrate that their risk management practices are founded on a comprehensive governance and oversight framework supported by the appropriate tools and methodologies. Information on risk and underlying data components should be aggregated on a largely automated basis to reduce the probability of errors. A Bank should be able to capture and aggregate all material risk data across the banking group. This information should be available by business line, legal entity, asset type, industry, region, and other groupings, as relevant for the risk in question. Ethiopian Banks’ continuous efforts to implement BCBS 239, have resulted in tangible progress in several key areas, including overarching governance, risk data aggregation capabilities, and reporting practices.

1. 3.     OBTAIN KEY DATA INSIGHTS

Once defined what good outcomes look like based on the strategic objectives and business model characteristics, market-leading Ethiopian Banks collect data, insights, and management evidence to test and showcase the effectiveness of their risk management approach. They assess whether their existing risk management information is sufficient to meet their objectives and (external regulatory) expectations. In obtaining this insight, they have resolved the challenges around responsibility and accountability for data quality across the organizations.

Regulatory perspective: BCBS 239 principles are specifically designed to strengthen Ethiopian Banks’ risk data aggregation capabilities and internal risk reporting practices, while in turn, enhancing the risk management and decision-making processes. The principles have become a standard across the banking industry, as local supervisors follow the BCBS recommendations and apply the principles to Domestic Systemically Important Ethiopian Banks.

1. 4.     IDENTIFYING ELEMENTS THAT DRIVE THE DESIRED CULTURE

Culture is what people do… repeatedly… when no one’s watching. The desired risk culture is a culture that aligns with the institution’s norms, attitudes, and behaviors related to risk awareness, risk-taking and risk management, and the controls that shape decisions on risks. Culture influences the decisions of management and employees during the day-to-day activities and has an impact on the risks they assume in doing so.

A sound, diligent, and consistent risk culture is a key element of effective risk management and enables sound and informed decision-making. Market-leading Ethiopian Banks are developing an integrated and institution-wide risk culture, based on a full understanding and holistic view of the risks they face and how they are managed, considering the institution’s risk appetite. They develop a risk culture through policies, communication, and staff training regarding the institutions’ activities, strategy, and risk profile, and adapt communication and staff training to take into account staff’s responsibilities regarding risk-taking and risk management.

Regulatory perspective: NBE expect a strong risk culture that promotes risk awareness, and encourages open communication and challenges about risk-taking across the organization as well as vertically to and from the Board and senior management. Successful institutions align their practices to their customers and have an appropriate purpose and associated business model. This is taken from the NBE Guidance on supervisory interaction with Ethiopian Banks on risk culture and Regulators Corporate Governance principles for Ethiopian Banks.

1. 5.     DEFINING CLEAR RISK APPETITE (QUALITATIVE AND QUANTITATIVE)

Ethiopian Banks must take risks; there is no risk-free path to achieving objectives. Effective risk management requires a strong, organization-wide governance structure that makes risk considerations a priority of the Board and senior management. Without such leadership and commitment, efforts to enhance risk management may be perceived as a bureaucratic “compliance exercise”.

An effective risk appetite statement is linked to the institution’s short- and long-term strategic, capital, and financial plans, as well as compensation programs. The challenge lies in identifying, prioritizing, and addressing the right risks at an optimal level, in the most effective ways. Ethiopian Banks often place great importance on quantitative risk appetite levels over qualitative levels. Leading Ethiopian Banks that implemented GPRC effectively have found a way to do both.

Quantitative risk appetite: Defining a Ethiopian bank’s risk capacity is a crucial step in developing a comprehensive and effective Risk Appetite Statement (RAS). The RAS is also the area in which the concept of risk appetite connects directly with those of ICAAP/ILAAP and recovery planning. Therefore, risk capacity is mostly calculated in terms of capital adequacy. However, after the collapse of SVB, a liquidity risk capacity is evenly important and many Ethiopian Banks use regulatory stress-based metrics for this purpose such as LCR (Liquidity Coverage Ratio).

Qualitative risk appetite: Leading Ethiopian s have addressed more difficult to quantify risks in their RAF and RAS. Examples relate to reputation and conduct risks as well as money laundering and unethical practices. It also clearly articulates the motivations for taking on or avoiding certain types of risks, products, services, organizations, customers, cyber, ESG, country/regional exposures, or other categories.

Regulatory perspective: Both FSB principles for an effective risk appetite framework as well as BCBS 239 provide clear expectations on risk appetite and the underlying data requirements, both qualitative and quantitative. We highlight the following:

Risk data and reports should provide management with the ability to monitor and track risks relative to the Ethiopian bank’s risk tolerance/appetite. Ethiopian Banks should develop forward-looking reporting capabilities to provide early warnings of any potential breaches of risk limits that may exceed the Ethiopian bank’s risk tolerance/appetite. Reports should identify emerging risk concentrations, provide information in the context of limits and risk appetite/tolerance, and propose recommendations for action where appropriate. The Board should indicate whether it is receiving the right balance of detail and quantitative versus qualitative information.

CONCLUSION

Insight into key areas of risk will enable targeted action and drive business decisions. This can only be effective if decisions are based on the current state of business while anticipating future developments (through forecasting, predictions, or simulation) in both risk, compliance, and performance.

Recent Ethiopian events will increase the expectations put on Ethiopian Banks to provide insights into the (risk) elements that drive performance objectives and assign measures appropriately.

Simultaneously, Boards and executive management teams need to ensure their strategic plans align with their medium-term structural changes in the operating environment. Changes are evident resulting from high inflation, interest rate volatility, disruptions in the Ethiopian supply chain, and slowing economies.