In this discussion, recorded in the form of a question-and-answer session, we draw upon the considerable experience of French Caldwell, the chief evangelist at the Californian Governance, Risk, and Compliance (GRC) apps company of MetricStream.

Compliance Matters caught up with the American GRC guru on the sidelines of the MetricStream conference in London recently. More than half the attendees there were from financial services. Our discussion ranged over the whole history of GRC software – a story that is still unfolding – and the increasing integration between compliance software and that of other business functions.

Compliance Matters: Two kinds of professionals tend to become compliance officers – lawyers and accountants. Lawyers are good at the rules; accountants are bureaucrats so they’re better at processes.

French Caldwell: Right! Well, over my career I’ve advised a lot of IT people because more and more of the rules and regulations involve IT since all of the processes are supported by it. So I’ll have IT people saying how do I know what rules and regulations apply to me? These days I have a fairly easy answer for them – I say have a look at UCF [the the unified compliance framework, used voluntarily by many software firms including MetricStream] and that’ll get you started, but besides that I tell them to start making a list because they probably know a lot of them. They should then go and talk to other people in their organisation and say “what are the common rules and regulations that are impacting us in our business and in our industry?” They should also be sure to ask their general counsel. They may have an affairs office. They can go to industry associations – they track all of this.

I said to one compliance officer ‘talk to your general counsel’ and he said ‘I did and he asked me!’ I used to get that answer quite a bit. It’s not as bad these days.

So the first generation of GRC was reactive solutions – and these were usually point solutions with SOX compliance being the big ‘a-ha’ moment for the modern GRC vendors.

Compliance Matters: Not the USA PATRIOT Act 2001?

French Caldwell: No, that came later. Or was it the same time? Actually SOX was 2002 so it did come earlier, but that was not the trigger for the GRC industry. It was Sarbanes Oxley and here’s why. It had automatic enforcement embedded in it. Even GDPR does not require your chief executive officer and chief financial officer to sign off saying that the controls were effective in your annual report. With Sarbanes Oxley the CEO and CFO are required to sign on the bottom line and attest that their controls are effective to the best of their knowledge.

Compliance Matters: There’s more of that going on now.

French Caldwell: Yes there is, you’re right, but that was new at that time and so, all of a sudden, we have this ‘a-ha!’ I do think the GDPR has quite a lot of teeth because the data protection officer does have to report to the CEO and there are very heavy penalties [for non-compliance]. The privacy authorities have shown a willingness to enforce the EU’s Data Protection Directive as it is now but the penalties have been fairly meaningless. Now you go from a 300,000 euro penalty to a 20 million euro penalty for the same violation or 4% of annual turnover, whichever is the larger.

You know you’re going to have a security breach. Everyone at some time has one. You’re required to report security breaches to the privacy supervisory authorities, so all of this gives it some real teeth, but back in 2002 SOX was the first thing that really got people’s attention.

Then you had the multi-regulatory compliance.

The third generation and the first line of defence

Then on the third generation of GRC technology, you started having more and more requirements. The vendors said...we were by then selling to compliance professionals. They’d added some risk assessment capability to help people assess which controls were prone to the highest risk, which is actually what a lot of rules and regulations actually require. In other words, the regulators said if you’re focused on everything you’re focused on nothing, we need you to identify which of your areas of business or your controls are at the highest risk, and so risk assessment capability is the best approach. That was actually driven by the regulatory people.

With that, you had risk assessment capability, you had the multi-regulatory compliance, then you had the financial crisis – no rules and regulations and requirements within the financial services industry to reduce operational risk. Now there were more and more requirements from the authorities to reduce enterprise risk overall. And the vendors were also saying who else can we support with these platforms we’ve built and they said oh, auditors, so the GRC vendors moved into the audit management space. Before, they had a couple of vendors, small players.

Compliance Matters: Does this improve audit? Because auditors are famously easy to fool if you’re a fraudster working at a bank.

French Caldwell: It improves audit because they can see what the second line of defence is doing. They can see what the compliance and risk assessment professionals are doing. So audit can now plan more effectively.

Compliance Matters: Who came up with these three lines of defence, the Basel Group?

French Caldwell: I’m not sure. I’d have to go back in history. I think a lot of it came out of IIA, the Institute of Internal Auditors. It really came out of the audit community.

Compliance Matters: Regulators always talk about it now, whereas 15 years ago they never talked about it.

French Caldwell: Sometimes, by the way, I think it detracts from compliance because...OK, who’s the first line of defence? It’s not just the customer-facing people, it’s everybody who isn’t second line (compliance and risk management) or third line (audit) of defence. We heard Barclays today say that ‘legal’ is not in the second line but the first line. If you read some of the banking rules and regulations it’s really a quite valid interpretation because legal is dealing with quite a lot of front-office matters, so they fall into the first line.

What’s missing out of all this? What I say is the coalface. It’s the actual workers at the coalface. The people who are out there...your salesmen, your employees who are interacting with customers. So you go back and say oh, the business unit leader is responsible for the risks and controls that are under his business unit, from the processes that they have and the assets they have, a lot of the risks and controls associated with those processes, those assets, and so this business unit head is answerable.

Compliance Matters: In our industry sector it’s even worse, because relationship managers at private banks are in the front line of defence but they’re also the people who need to sell things to the HNWs. The very man who wants to get your money is the very man who’s in charge of your compliance and due diligence.

French Caldwell: That’s a real challenge. As I say, these are the people at the coalface. These are the people who are out there, managing the clients and trying to expand their portfolios and their boss is the one who supposedly owns all of the risk.

Now if you look at the typical financial services firm, the number of people at the coalface is 15% of all the employees. So you’re asking the 15% to have to own all the risk and all the controls. I just see that as a problem. We’re neglecting the coalface. So the only way I think that you deal with those people at the coalface is through direct monitoring. You can train them...

Compliance Matters: It’s not all the risk they’re taking on, it’s just the first line of defence. That risk.

French Caldwell: Well, the first line, I would argue, is quite often thought of more as their boss, not them, yeah? So it’s a big challenge.

So: third generation GRC. People began saying hey, you’ve put all of this stuff in this tool, this multi-regulatory tool with some risk assessment. But individual risk managers, compliance managers, audit managers and IT security professionals were trying to provide them all capabilities with this one tool and they said no, we don’t want a 50% solution, we should meet at least 80% of requirements for the person who’s buying it. So this thing that had evolved from being a SOX tool was now being used for all kinds of other things – operational risk and so on.

Compliance Matters: So it was ‘demand push’ all the time?

French Caldwell: Right. A lot of it was. So they’re going back. Now the customers are pushing back and saying I need something that fits me. So a few of the vendors – not all of them, but a few – moved into the third generation, which is to say all right, we have this platform of a common data model, the workflow, the reporting tools, generic reporting tools, all in the platform, but we need the ability to deliver targeted solutions. I mean, my head of audit wants an audit management solution that meets most of his requirements. My chief risk officer needs one. My compliance officer needs one. They’ll all be using the same basic platform tool but they need something on top of that that meets more of their individual requirements and needs. So we’re back to what you call ‘best of breed solutions.’ These are now best of breed solutions, or what I call targeted solutions, or what my company MetricStream call apps. Like your smartphone. Smartphone’s a common platform with multiple apps, meeting different individual needs.

So some of the vendors moved into these targeted apps for individual professions that met the needs of those particular professions. That’s third generation. That’s where most people are.

* In the final instalment we look at the fourth and fifth generation of GRC software and speculate on the future.