GRC SaaS Is So Perfect!
Tom Baumgartner
Marketing Leader - Cybersecurity, Data Security, DSPM, DLP, SSE, SASE, Gen AI
If you opened this article:
In the poetic words of a former colleague, “Banks don’t want to be software companies. They want to be banks.” Same goes for credit unions and other financial institutions. They’re in the business of managing, protecting, and growing their customers’ and members' assets. Over the past 10 to 20 years, they’ve also been subject to growing regulations that require more scrutiny and control of their governance, risk management, and compliance policies and practices than ever before.
Easier said than done.
Take Care and Be Careful
By nature, banks and credit unions tend to be risk-averse. Financial institutions must always strategize and execute on safe and cost-effective asset protection and service availability to ensure their customers’ continued business and peace of mind. If customers experience a privacy vulnerability due to data breaches, a decrease in available services due to diminishing returns on asset investments, or perhaps even just a website outage that blocks online banking access, those customers may take their trust and business elsewhere.
If only keeping their business were the biggest problem.
A Fine Mess
Because even though you never know when a surprise audit will happen, you should always be ready for it. Right? An insurance claims processing company recently told us it had decided to postpone a decision on a business continuity solution so it could prioritize a potentially disruptive office move instead. A bit ironic, yes, but I digress. “We’ll wait ‘til next month,” they said. With the irony in mind, we encouraged them to reconsider. Days later, compliance auditors announced an upcoming visit. Unprepared, unorganized, and unable to press rewind on the decision to wait until next month, they were in an unfortunate but avoidable situation.
Here are some public examples of fine messes:
·???????The Office of the Comptroller of the Currency (OCC) ordered Citibank to pay a $400 million fine in October 2020 for “deficiencies” in enterprise-wide and compliance risk management, as well as its data governance and internal controls.
领英推荐
·???????Also in October 2020, the OCC fined USAA Federal Savings Bank $85 million for failing to “implement and maintain an effective compliance risk management program and an effective information technology risk governance program.”
·???????Following a 2017 regulatory action, the Federal Trade Commission (FTC) required Western Union to pay $586 million in monetary relief to consumers for turning “a blind eye to the fraudulent payments made through its money transfer system.”
The point is: Perhaps even worse than losing customers are the fines that come with not playing by the rules, or even more regrettably, not being ready to play by them.?
Decision Time
So, a key ongoing question is, “Do we figure out how to manage GRC on our own, or do we look to outside expertise instead?” Since there is inevitably a technology investment and potentially a human investment to go with it, a frequent second question is, “Do we want the overhead of maintaining the technology in-house?” And then, “What will tip the scale?”
The complexities of GRC and the potential magnitude of a failed technology implementation lead many banks, credit unions, and other financial institutions to seek low-maintenance outside expertise. Just like banks want to be banks instead of software companies, they don’t want to maintain software because of its related CapEx and OpEx costs.
Enter GRC software as a service, or, GRC SaaS. While it may not be perfect, it looks and sounds pretty good given the risks and costs of non-compliance. It allows banks and credit unions to focus more on serving their customers and members, and less on servicing software. But a warning: Beware of Purchase and Sail Agreements.
That’s not a typo; it’s a misspelling to help make a point. Many vendors will convince you to purchase their service and then wrap up the transaction and sail away to their next opportunity. You find yourself mostly on your own to figure out how to use the service as it was promised to work, but this too is easier said than done. So, make sure you partner with a trustworthy vendor that values the whole customer success lifecycle of your investment, not just the point-of-sail relationship part.
Whatchu Gonna Do Next?
Contact me today to learn more about how I can help.