The Banking Royal Commission Report Highlights the Importance of GRC Compliance, Risk and Audit Tools

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry of Australia has released its interim report, and it does not look for the banking industry. The focus of the report is on how many banks in Australia have behaved irresponsibly and need to improve their focus on compliance, risk, and audits. However, the report again and again highlights the importance of having the right tools.

Banks need to be able to demonstrate compliance

Kenneth Hayne, the banking royal commissioner, puts a lot of focus on the failure of the banks to be able to demonstrate compliance. Not only were their compliance problems, but it was also difficult to access any data about the compliance problems. In the report, the commissioner highlights the lack of a reporting and management system that could weed out problems. He talks about the lack of a “management system under which serious concerns about an adviser could be met with inadequate responses, coupled with an inability to access client files for the purposes of review and remediation, might amount to a failure by (the bank) to take reasonable steps to ensure that its representatives complied with financial services laws”.

Note that his complaint isn’t just that there are compliance issues, but that the bank lacks any system that can access the required files for review and remediation. In other words, not only was the bank making a mistake, but it didn’t have a system in place that could detect or help correct the mistake. The report goes on to report many other similar issues.

National Australia Bank itself realized that it needed GRC solutions for compliance, risk, and audit management. As the report states, “NAB’s own analysis of the root causes of the conduct concluded, among other things, that ‘there was a lack of controls in relation to addressing intentional misconduct (including fraud)’ and that ‘monitoring and reporting was not being used adequately to enable early identification by NAB of emerging issues’. As NAB said, ‘NAB’s investigations and its root cause analysis revealed that its processes were, in the relevant period, not adequate to detect and prevent the misconduct.”

Commissioner Haynes goes on to write more about how NAB had no system in place which would detect and flag the many non-compliant and fraudulent practices being performed by its employees and partners. He writes that “Controls were not designed to identify effectively and consistently instances of intentional misrepresentation of information, which was a key characteristic of the relevant conduct. That is, the then existing monitoring and reporting systems did not adequately detect and deter non-compliant conduct and fraud.”

This directly highlight the importance of automation in compliance and risk management. Any decent compliance and risk management GRC solution would instantly highlight any such violation. Any missing required information will instantly trigger notifications for all relevant stakeholders. NAB here isn’t being admonished just for the conduct, but also for not having a system in place that could have prevented or detected the conduct in any manner.

This point is brought up in the report multiple times. It goes on to say that “NAB’s apparent inability to draw together information about instances of misconduct identified during the immediately preceding five years shows that it was then unable to identify promptly, whether for its own internal purposes or for any external purpose, a single, reasonably comprehensive and accurate picture of whether and how it had failed to comply with applicable financial services laws. On the face of it, information of that kind would be important not only for managing compliance with those laws but also for identifying whether separate events stemmed from similar causes.”

Meaning that even when asked by the commission to look into the issues present in compliance and risk, the bank was unable to produce the required documents. The relevant information was not readily available, and it was difficult to even determine what financial services laws were broken.

The same issues are prevalent globally

While the report was only about banks in Australia, the same issues are prevalent all around the world. Banks often do not have the right systems in place for managing risk and compliance. When a regulatory body tries to do a study, they are met with obstacles in obtaining and analyzing information. Having a risk and compliance system in place means that all the issues the report highlighted would be fixed with a few clicks.

Automation is the future. GRC companies have been highlighting the benefits of GRC solutions for a long time, but now even regulatory and auditing bodies are highlighting their need. These bodies have realized that having the right systems and controls in place is the only way to effectively manage risk and ensure compliance.

About the company

360factors, Inc. (Austin, TX) helps companies improve business performance by reducing risk and ensuring compliance. Predict360, its flagship software product, vertically integrates regulations and requirements, policies and procedures management, risks and controls, audit management and inspections, and on-line training and qualifications, in a single cloud-based platform based on artificial intelligence.

Remain up-to-date on industry news/updates through our Twitter & Linkedin profiles.