New threats, old foibles prompt banks to switch GRC vendors

Switching from one software vendor to another can be painful. It can also be unavoidable.

More than half of the participants in a new Risk.net survey are now either considering that wrench – or living through it – for their governance, risk and compliance (GRC) systems.

The reasons vary. In one case, a bank chose to upgrade from an in-house system because of the changing nature of the information security (infosec) threats it faces.

“Due to geopolitical tensions, more and more, you need to evolve to meet the threat with more metrics and more risk documentation – you need to have better GRC to work,” says a senior risk and cyber manager at one European bank. “I don’t think it’s that people are immature: I think the world is evolving, and we need to keep up.”

In another case, one bank reports pushing the business to shoulder more risk management responsibility, so is switching to a system that is easier for front-line staff to use. There are also complaints of being let down by an incumbent provider.

The findings are part of the second round of Risk.net’s Op Risk Benchmarking service, which will be published over the next couple of weeks. After data on op risk management at the largest global banks was published in July’s first round, the new batch of data comes from 12 somewhat smaller banks – mostly regional and domestic players (jump to box: Mini-methodology).

The list of participants is diverse, crossing five continents and taking in sizeable global markets banks alongside High Street lenders, regional commercial banking champions and one development bank. One trait they have in common is a surprising willingness to review and change the GRC vendors they are using – although policies and actions vary by risk type.

For information security, half of the banks review vendor provision at least annually, potentially reflecting the rapidly mutating nature of these threats – it may be easier for a vendor to fall behind the curve here (see figure below). Two banks are planning to increase spending, one on its incumbent vendor – IBM OpenPages – in order to use it more widely across other risk types.

Another firm benefiting from the winds of change is MetricStream, which was chosen as the replacement vendor by two banks that are cutting ties with their current providers. One of these banks will apply the new system to infosec; the other, to both infosec and execution and process errors.

For execution and process risk, incumbent vendors can rest a little easier. Only three banks review provision annually, and all appear happy with their existing systems – one bank is planning to increase spend with its current vendor – although another bank admits its solution still “requires development” (see figure below).

The two banks in the process of switching to MetricStream are very different animals in terms of business mix and risk profiles. For one of them, the decision to switch was driven by its attempts to push more responsibility for risk ownership down to first-line business units, including a drive to capture more risk data. The user-friendliness of its outgoing system was a barrier to progress.

“We received a lot of feedback from the business units that the current system is not that user-friendly,” says a senior op risk manager at the firm. “Also, there were lots of promises on the reporting side – but we never got to where we really expected. We want the business units to use the system more, and to take the lead on preparing the risk and control matrix – but when they say the system is not user-friendly, then it's hard to impose that.”

There are pros and cons to any change, though. This bank admits some risk aggregation functionality, which rests on legacy data and algorithmic processes, could be lost in the switch. “If we lose that data, then it could hamper some of that capability. So the data migration is important,” they add.

The other bank switching to MetricStream also notes that stripping out an incumbent vendor is hard – from both the technological and human points of view.

“We customised the previous tool so much to our framework – things that people are already used to for several years – and now they have to get used to the new tool. Having those two changes at once is a challenge,” says an op risk manager at the firm.

Given the complexity banks face when moving from one system to another, some risk managers are surprised their peers review providers so regularly: “If you look at the efforts we have to put in to switch, [reviewing] annually is quite funny.”

Other factors may be at play when banks review their vendors. The head of op risk at one G-Sib who took part in the first round of benchmarking work noted that he frequently invites pitches from vendors that the bank has no intention of engaging, largely to glean information on which providers his peers are buying, and how they are integrating them.