Part Two: A Single System of Record (Sarbanes-Oxley (SOX))

In this installment of our blog series, Managing Privacy and Risk in Financial Services, we examine governance risk and compliance across the industry.

             Bob in Banking: “How much does it cost if we don’t comply?”

             Compliance: “Millions!”

Anyone who has worked in financial services understands how much compliance plays a role in almost every action across the lines of business. Financial regulators at the regional, national and global level establish an ever-growing set of rules which are aimed at reducing systemic risk, encouraging adoption of common standards, protecting customers and driving fair competition.  It’s all done with the best of intentions and those who adapt best can enjoy a competitive advantage.

However, if you don’t comply, you’ll get both a sullied reputation and empty pockets.  The average company’s internal costs of compliance are well over $1M per year—and over $2M for companies with more than $20B of revenues reports Yes, millions.

The answer is clear – a single system of record that houses all assets, their relationships, configurations, and changes to them where you can automatically track compliance.  Yes, that exists. ServiceNow’s Unified Compliance Framework (UCF) provides control in one place AND automates reporting based on incidents and changes.

In this blog post, I’ll be leaning on my colleague Julia Smith to take us through the murky waters of Sarbanes-Oxley and more to provide information about how ServiceNow’s Governance Risk and Compliance and the UCF can help:

Implementing one rule in support of one regulation in one country can be complicated enough.  When global institutions must address multiple layers of regulation for many authorities this becomes a very complicated process to build for and can be very costly in terms of fines incurred if compliance isn’t met.

Financial Regulations Demands a Single System of Record

For Banking, like many other industries, there are many various sources of rules including all the different regulatory authorities.  ServiceNow’s GRC module starts with ingesting an unlimited amount of regulations and standards into the Unified Compliance Framework (UCF).   The UFC holds all rules in one central repository which allows drill-downs for the background to each rule, and the associated controls that need to be in place to ensure compliance.

The advantages of having controls or standards accumulated in one central repository are many – not the least of which is the ability to link common controls to multiple regulations.  The one-to-many implications of this can lead to enormous time savings in reporting and reduced risk of non-compliance. Having everything recorded in a single system, provides a hub to assign and track work both within Compliance and across business areas.  It acts as a core repository for reference information on a specific regulation, holds knowledge articles, FAQs etc.

Take Sarbanes-Oxley (SOX) for example, the UCF will list out all internal policies, as well as controls organized by location, and business units responsible for delivering on those controls. The relationship between Risk and Compliance is clearly articulated such that if Compliance goes down, Risk rises and vice-versa.

Julia Smith is a former FS executive and transformation consultant who now has global responsibility for helping FIs explore the possibilities of the platform through ServiceNow’s Inspire practice. To read more from Julia on GRC in banking, click on the link below in the Additional Resources section.

Tune in on Friday, September 29th, for Part Three of this Six-Part series on Managing Privacy and Risk in Financial Services.

Next Posts:

Part Three: The Cost of Non-Compliance (GDPR)

Part Four: Responsible for You and Your Friends (Vendor Risk)

Part Five: We Have a Plan (NY State Cyber Regulations)

Part Six: Rinse and Repeat (IT GRC)

Additional Resources: