This site is part of the Informa Connect Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.

Meet and learn from the world's leading risk managers

The evolution of GRC: New tools for the first line of defence

Share this article

IBM explores how, in the rapidly changing global financial markets, next-generation governance, risk and compliance solutions are empowering growing numbers of organisations and business users to make risk-aware decisions and increase process efficiency and effectiveness.


Attitudes to governance, risk and compliance (GRC) activities are changing among Tier 1 financial institutions. The need to keep up with rapid regulatory change, and the pressure of larger, more publicised penalties dealt out by regulators in recent years have prompted an evolution in how risk is viewed and managed. Financial firms also face an increasingly volatile market environment that requires them to remain nimble – not just to survive, but to thrive.

As a result of these market developments, GRC is now seen, rather than as one strand of the business, as a far more integrated activity with many companies realigning resources around the ‘three lines of defence’ model. GRC is increasingly being treated as an enterprise-wide responsibility by organisations that are successfully navigating these challenging times for global financial markets.

This shift in attitudes is also leading to a rethink in relation to the tools used by all three lines of defence to participate in GRC activities. Some are exploring more innovative solutions to support and engage infrequent users – particularly those in the first line of defence (1LoD). The more intuitive design of such tools enables these users to take a more active role in risk-aware decision-making (see figure 1).

Figure 1 The three lines of defence risk management model

These and other innovations promise to bring greater effectiveness and efficiency to an area into which firms have channelled increasing levels of resource in recent years but are struggling to keep up with demand. Our survey found that risk and compliance professionals acknowledge the limitations of existing operational risk and regulatory compliance tools and systems to satisfy current and future GRC requirements.

The survey polled 106 senior risk, compliance, audit and legal executives at financial firms including banks (53%), insurance companies (21%) and asset management firms (12%) in November and December 2018. The results revealed that nearly one-third of these respondents remain unimpressed with the effectiveness of their organisation’s ability to cope with the complexity and pace of regulatory change. Nearly half gave a similar response regarding their organisation’s efficiency in this area.

It will be those that truly embrace user-focused tools and leverage innovative technologies such as AI and advanced analytics to increase efficiencies that can expect to reap the rewards of successfully managing regulatory change and tackling market volatility.

With these issues in mind, many of the firms surveyed have started to explore user-experience needs more deeply and combine the results with artificial intelligence (AI) capabilities to further develop GRC systems and processes. These capabilities are designed to enhance compliance systems and processes and make them more intuitive for all.

As such, user-experience research and design has become a key consideration for organisations wanting to ensure employees across all three lines of defence can participate more fully in GRC activities. In addition, AI-powered tools can help 1LoD business users better manage risk and ensure compliance by increasing the efficiency and effectiveness of these GRC systems and processes.

The survey shows that, while some organisations are already developing these types of solutions, there is still room for greater understanding of the benefits of new and innovative forms of technology throughout the global financial markets. For instance, nearly half of respondents to the survey, when asked about the benefits of AI for GRC activities, were unsure of the potential time efficiencies such tools can bring. More than one-quarter were undecided on whether AI would free up employees’ time to focus on more strategic tasks.

Many organisations are still considering how to move forward in this area, but it will be those that truly embrace user-focused tools and leverage innovative technologies such as AI and advanced analytics to increase efficiencies that can expect to reap the rewards of successfully managing regulatory change and tackling market volatility.

Addressing complexity

The financial services sector has undergone a sustained period of change in recent years, and financial firms continue to face increased complexity, particularly in relation to regulatory change. The rapidly increasing regulatory burden piled on by governments around the world in the wake of the 2007-08 global financial crisis has led to an influx of new rules and regulations that must be acknowledged, understood and adhered to – not just by compliance professionals, but across organisations in the financial sector.

Three‑quarters of survey respondents rated the complexity of the current regulatory compliance environment seven or above on a scale of one to 10, where 10 indicates the most complex (see figure 2). Regulatory complexity is not the only challenge – sustained market volatility in recent years has only added to the pressure as firms attempt to not only comply but also compete in a rapidly shifting market environment.

Figure 2 Rank the complexity of the regulatory compliance challenge your organisation faces

Many organisations have attempted to address such issues by putting more resources into the area of risk and compliance. According to the survey, over the past 12 months alone, 60% of firms polled have increased resourcing levels for GRC activities – for 35% of these organisations the increase was up to 10%, while for 25% it was more than 10%. Only 12% of those polled work at firms that have decreased resources during this period (see figure 3).

Figure 3 How the lever of GRC resources is expected to change over the next 24 months

In spite of the increasing levels of investment into this function to date, the overall perception of the effectiveness and efficiency of organisations’ responsiveness to such issues as regulatory complexity remains lukewarm. When asked to rate their organisations’ ability to cope with the complexity and pace of regulatory change on a scale of one to 10, where 10 is the highest rating, 30% of the risk and compliance professionals surveyed gave a rating of five or below for effectiveness, while nearly half (48%) gave ratings within the same range for efficiency (see figure 4).

Figure 4 Rank the effectiveness and efficiency of your organisation at coping wih the complexity and pace of regulatory change

Researching user experience

More specifically, users across all three lines of defence remain unimpressed by their organisations’ GRC solutions and processes in relation to user experience. This is an important issue to address since regulatory developments in recent years have increasingly pushed the 1LoD to step forward and take greater responsibility for risk and compliance activities. While this development is to be welcomed, these users often lack the tools and ongoing training to ensure firms can create a consistent and accurate GRC response.

The tools used within these organisations have often been designed to suit the firms’ GRC ‘power users’ – the second line of defence (2LoD) or risk department. These are employees that use the tools regularly and are well aware of the overarching needs of the risk assessment process. For less frequent users, such as the 1LoD business users, extensive training or practice is often required to ensure ease of use and understanding of the aims of the system being used.

This is borne out by the results of the survey, with only 2% of 1LoD respondents rating their organisation five out of five for the ease of access, understanding and user experience of its GRC solutions and processes for 1LoD users. At the other end of the scale, 68% of those polled gave a rating of three or below (see figure 5).

Figure 5 Organisations' GRC solutions and processes ranked in terms of ease of access, understanding, and user experience

Developing intuitive solutions

Organisations will undoubtedly struggle to make risk an enterprise-wide concern if the first line – the people closest to and responsible for controlling these risks – find risk assessment tools unmanageable or difficult to use. So how can financial firms address the growing gap between needs and current capabilities when it comes to managing risk and implementing a compliance framework? One way efficiency and effectiveness could be improved is by developing better solutions and tools for use within the GRC function.

Users across all three lines of defence remain unimpressed by their organisations’ GRC solutions and processes in relation to user experience

To empower 1LoD users to make a full contribution to GRC activities, organisations should look to a new breed of innovative, end-to-end solutions that combine AI capabilities with enhanced user experience that supporting employees from across the organisation – not just more regular users in the 2LoD. Implementing such tools enables less experienced users of GRC applications to fully participate in these activities without the need for extensive training in the systems and processes. In this way, all employees can take responsibility for risk management, enabling organisations to make risk-aware decisions, fully adapt to regulatory change and face market volatility head-on.

A further benefit is that risk and compliance management can be streamlined. While there are a range of solutions available that deal with certain elements of the regulatory change lifecycle, an end-to-end solution takes the multiple steps involved and condenses them into a more efficient and effective package – freeing up time and resources for other more valuable activities. For 1LoD users in particular, providing such a solution in a more intuitive user-friendly format is invaluable since it reduces the time and effort that less frequent users might take to complete a risk assessment or other GRC-focused activity.

Current and future applications

The survey highlights that financial firms already recognise that these solutions can be used to more efficiently manage the regulatory change process. For example, AI-based solutions can provide smart alerts to highlight the most relevant regulatory changes – 35% of survey respondents see AI as offering the biggest potential improvements in this area.

Improving the speed and accuracy of classification and reporting of information – for example, in relation to loss events – was another area identified for its high AI potential. Nearly one-third of respondents (31%) see possibilities for improvement of current GRC processes in this area (see figure 6).

Figure 6 In what GRC activities does AI offer the greatest potential improvements

Some financial firms have already started to reap the rewards of this type of approach. Larger firms are typically ahead of the game with such developments, often having more resources to put into research and development. Out of the 13% of larger firms that have seen a decrease in GRC resources over the past year, one-third of survey respondents attribute that to “tools and automation improvements”.

Similarly, 44% of those polled work at organisations already making improvements to improve end-to-end time and user experience in relation to GRC processes and tools (see figure 7). A further 19% plan to do this in the next 12 months and, in line with this, 64% of survey respondents expect their firm’s GRC resources to increase over the next 24 months (see figure 8). While it is not clear from the survey whether these additional resources will be specifically directed towards AI, more than 80% of respondents work at organisations currently considering AI for a range of GRC activities (see figure 9).

Figure 7 How are organisations working to improve end-to-end times and the user experience for GRC processes and tools

Figure 8 How the level of GRC resources is expected to change over the next 24 months

Figure 9 What GRC processes are organisations currently using, or considering using, AI to enhance the process

The most popular use of AI among financial firms is to improve the speed and/or accuracy of classification and reporting information, such as loss events – 19% of respondents say their organisation is currently using AI for this purpose, with 81% currently considering this type of use (see figure 9). Such events happen fairly infrequently, so training employees to classify and enter such information can be time consuming, but incorrect classification can have a real impact on data quality. By using natural language processing (NLP) tools to understand and categorise loss events automatically, organisations can streamline the time and resources required to train employees to collect and manage this information.

According to the survey, 83% of respondents are also currently considering the use of AI tools to develop smart alerts that will highlight any new rules or updates to existing regulations, helping financial firms manage regulatory change more efficiently (see figure 9). Many organisations already receive an overwhelming amount of alerts every day relating to new rules or changes, but some or all of these changes may not actually apply to their businesses. AI can be used to tailor these alerts to ensure compliance teams only receive the most relevant alerts. Using NLP to create this mechanism can be the difference between sorting through 100 alerts in one day and receiving one smart alert that has been identified by an AI-powered solution.

Control mapping is another area to which AI can add value. When putting controls in place relating to specific obligations within a regulation, for example, compliance teams can either create a new control or, using NLP, detect whether there is already an applicable control in place that can be mapped to record the organisation’s compliance with the rule. This reduces the amount of time spent by the team reading and understanding new legislation or rule changes to determine applicability, as well as improving accuracy and reducing duplicate controls.

Accessing the cloud

In addition to AI-based projects, cloud continues to pique the interest of financial firms, according to the survey results. While nearly half of organisations polled (49%) have no plans to use a vendor for cloud hosting at present, nearly one-fifth (19%) are in the early stages of implementation and 9% have a mandate to do so in the next three years (see figure 10).

Figure 10 Is your organisation using or considering using a vendor for cloud hosting for GRC

For organisations, managing IT risk (57%) is the most popular GRC activity for cloud use, with half of respondents already using this type of solution for regulatory compliance management. Looking to the future, managing vendor or third-party risk seems to have the most potential in the eyes of these respondents, with nearly three-quarters (74%) saying their organisation is currently considering cloud use for this area of GRC activity (see figure 11).

Figure 11 Which GRC activities are you currently using or considering using the cloud for

However, there are obstacles to market-wide uptake of cloud-based capabilities. Data privacy remains a major issue for many market participants. In such instances, hybrid solutions that make use of a mix of private and public cloud facilities are being used to bridge the gap between data privacy concerns and the growing need to manage and analyse significant volumes of information. This is evidenced by the survey results – only 6% of respondents’ organisations currently use the cloud for more than half of their GRC applications (see figure 10).

Enhancing understanding to empower the 1LoD

Although some firms are leading the way when it comes to developing AI applications for risk and compliance purposes, this survey shows there is still some way to go when it comes to fully understanding of the benefits of such innovative technologies among the wider market.

While nearly two-thirds (65%) of the risk and compliance professionals polled agree that the use of AI and advanced analytics for GRC activities allows employees to focus on more strategic tasks, and the majority (59%) believe these tools can enhance data quality; some respondents remain unclear on or unconvinced of the benefits of AI-powered tools. Between one-quarter and roughly half of respondents were unsure when asked whether they agreed or disagreed with a range of positive statements about AI and GRC activities (see figure 12). This includes whether the use of AI would free up time to focus on more strategic tasks (26%) and whether it would enhance data quality (32%).

Figure 12 To what extent do you agree or disagree with the following statements relating to AI and GRC

By developing a deeper knowledge and understanding of AI technology and the need for enhanced user-experience design within GRC tools and systems, organisations can find ways to manage market change. Whether it’s in relation to the evolution of the regulatory environment or tackling market volatility, organisations that do not embrace the growing trend for risk and compliance tools based on AI technology will fall behind the competition. Similarly, these solutions need to appeal across the organisation – from those using these systems every day to those using it less frequently but who are just as important to GRC activities.

In today’s complex regulatory environment, risk management is a firm-wide responsibility, and every opportunity should be taken to engage staff effectively in support of this common goal. To achieve this, there is a need to develop more user-friendly tools, particularly for the business users closest to the operational risks. AI can play a major role in making such tools a reality, helping to improve data quality and using NLP to streamline processes used to map and classify crucial information. In this way, organisations can empower the 1LoD to make more risk-aware decisions.

Similarly, development of intuitive tools that make user experience a priority has never been more crucial. As financial firms face a more complex market environment, it has become increasingly important to empower employees across the business to make risk-aware decisions. This will ensure these firms comply with changing regulations, while providing them with the tools to remain competitive in the markets in which they operate.

With an end-to-end solution based on enhanced user-experience design and AI capabilities, managing risk and regulatory change becomes more straightforward for all three lines of defence, enabling employees across the organisation to contribute. By taking on much of the time-consuming repetitive manual work of managing regulatory change, these tools also allow existing resources to be redeployed to more strategic, value-add activities. Rather than spending time relearning or struggling with complex questionnaires and risk assessments, the 1LoD can leverage risk data for decision-making and the organisation can maintain its competitive edge in a fast-moving market environment.

NEW closing banner for blogs 800 x 150 RM 2019 Q4 EMAG

About IBM Watson Financial Services

IBM works with organisations across the financial services industry to use IBM Cloud, cognitive technology, big data, regulatory technology and blockchain technology to address their business challenges. IBM Watson Financial Services merges the cognitive capabilities of Watson and the expertise of Promontory Financial Group to help risk and compliance professionals make better-informed decisions to manage risk and compliance processes. These processes range from regulatory change management to specific compliance processes, such as anti-money laundering, know your customer, conduct surveillance and stress testing.

For more information

To learn more about IBM solutions for regulatory compliance, visit

Share this article

Sign up for Risk Management email updates

Upcoming event

RiskMinds International

07 - 10 Nov 2022
Imagine what you could achieve with 650+ risk managers on your team
Go to site