Increasingly, banks must strive to react more quickly and efficiently to regulatory change. More importantly, with the shift to judgement-based supervision, it's no longer enough to have lists of 'dos and don'ts'. Policies have become critical in establishing boundaries of behaviour for individuals, processes, relationships and transactions.
In this post, we'll look at GRC 20/20
's policy management maturity model and how banks can use it to identify their strengths and weaknesses, improve their policy management framework and track compliance progress. What's a maturity model?
A maturity model assesses proficiency in a specific area by placing organisations on a sliding scale. Typically, the model is made up of a number of increasingly advanced levels, with level 1 being the least advanced.
Maturity models aren't a new concept. Richard L. Nolan
created the first one in 1973 to describe different stages of IT maturity in business. Over the years, they've been applied to processes in any number of fields — from finance, knowledge management
and behavioural science
to everything in between.
GRC 20/20's policy management maturity model is designed specifically to measure banks' policy management framework. It has the following five levels: Level 1: Ad Hoc
Here, any policies the bank has in place are disorganised. Issues are addressed as they arise. Use of technology is scattered. There's no specific methodology or clearly defined roles and responsibilities.Level 2: Fragmented
Level 2 banks have started to understand they need to stop reacting and take charge. But while individual departments may have started writing down their policies and procedures, templates and language are inconsistent. There's no standard methodology and technology is still scattered. There's also little understanding of how effective policies actually are. Level 3: Defined
At this level, there's more governance and, so, more consistency. Individual departments will have templates, checklists and other written processes and procedures in place. They'll also use technology to work more efficiently. But this level of maturity won't extend to the organisation as a whole. Level 4: Integrated
This is where silos start to break down. Policies and procedures are easily accessible across the whole organisation. There are also common processes, common templates, a common methodology and style and widespread use of technology. Level 5: Agile
At this level, banks have a centralised policy management framework. There's an integrated learning environment, automated forms and integration with other areas of their Governance, Risk and Compliance framework. The organisation can react quickly to regulatory change and focus on principles and outcomes instead of relying on prescriptive lists of 'dos and don'ts' Why should banks care about maturity models?
With the shift to judgement-based supervision, most banks have had to take a long, hard look at their compliance culture across the whole organisation. The problem is that this exercise can be highly subjective.
Maturity models inject objectivity into the process by comparing systems and procedures to a series of independent benchmarks. This is useful in understanding how well individual banks are doing compared to competitors. But, more importantly, it helps:
- Develop a roadmap to better policy management
- Track and measure progress
- Ultimately, have a more efficient and cost-effective compliance function
Put another way, a maturity model allows banks to put a number on how well they're doing and create a strategy that moves them forward to the next level. Levelling up: hitting the road to maturity
While a maturity model enables quantitative measurement, it's not entirely objective. Case in point, the difference between not having any methodology at all (Level 1 of the GRC 20/20 policy management maturity model) and not having a 'standardised' methodology (Level 2), can seem open to interpretation.
For this reason, it's important to do thorough internal research before implementing a maturity model. At ClauseMatch, we've developed a questionnaire that helps identify pain points and break down what needs to be done to move on to the next level of the policy management lifecycle.
More to the point, a maturity model is only a yardstick. Banks who use a maturity model are better at quantifying where they stand and tracking progress. But to be successful, they must also take change management seriously and commit to it long term.
Ultimately, process can only follow once an organisation knows where they're headed. It's only if everyone understands the value of moving forward and senior people take ownership that lasting change can happen. Looking ahead: the maturity model as a starting point
By 2020, London-based think tank JWG reckons there'll be over 300 million pages'
worth of regulations for banks to contend with.
The average Tier 1 bank now employs 500 compliance staff
and spends over $50 million a year
on technology in an effort to cope with the onslaught. And, over the next few years, compliance budgets will continue to grow, with technology making up 40%
of that spend by 2023.
But will bigger budgets and more technology help banks get better at policy management?
According to McKinsey's compliance benchmarking report
, it's not a given.
There's no doubt that automating repetitive processes can unlock huge cost-savings, make banks more transparent and give them a competitive edge. But first, they must stop being reactive start looking at the bigger picture.
Or, put another way, they must do the groundwork and strive to get to level 5. Want to learn more? Let's talk.