The wave of financial reform that followed the financial crisis is just starting to wash over banks of all sizes, including Sterling Savings Bank, which sits right on Dodd-Frank's $10 billion asset threshold.
That's a critical driver behind the Spokane, WA-based institution's decision to embark on an enterprise-wide governance, risk and compliance project over the next year, and to have the underlying workflow software hosted by an external compliance firm, MetricStream.
"With Dodd-Frank, all banks of $10 billion and greater have similar examination requirements," says Susan Palm, senior vice president responsible for audit and risk review at the bank. Palm joined Sterling in November 2010, after working in enterprise risk management Wells Fargo. At Sterling, Palm will be responsible for the Pacific Northwest bank's audit, compliance, policy internal asset review process. "What I learned from a big bank will be very applicable to Sterling."
Palm and Sterling have a big project in front of them; the MetricStream deployment is just underway. The first phase of the implementation will deploy the technology in the bank's audit, compliance and internal credit review operations, with migration to the new system expected to be complete by the end of the year.
"It makes sense for us to address these areas right away, they are the highest priority for us," Palm says.
The combined GRC activities will replace point systems that handled risk and governance functions for each department, a siloing that has been commonplace at most banks, but is changing given the stresses on credit and compliance that accompany the banking industry as it emerges from the recession.
"We've realized that risk is integrated across all business functions," Palm says. "For financial institutions in general, the regulators are really looking for an integrated view of risk. We want to be on top of emerging threats. And if there's a change in laws or rules, we want to be able to put into our audits."
Internal IT integration will also be a part of Sterling Bank's deployment, as the initial wave for audits, compliance and internal credit review will be followed by an integration with Sterling's core banking system, which is hosted by FIS. Added deployments will be made in the first quarter of 2012, including business lien risk assessments, vendor management and a bank-wide policy and standards program.
Sterling signed an outsourcing deal with MetricStream after a vendor search. The bank didn't say which firms it considered, but other tech firms with a presence in the enterprise governance, risk and compliance and business process management space include Pegasystems, Oracle, SAS, IBM and others.
Once deployed, MetricStream will allow the bank to automate GRC workflows, which should make the bank less dependent on spreadsheets. The hosted solution will help the bank perform risk self-assessments, define and access controls, track loss incidents along with root causes and ownership, and provide a means to resolve issues. The bank will also monitor the actual audit processes, IT risks and security incidents, and will keep up to date on regulatory changes from the FDIC, FFIEC as well as ensure adherence to Sarbanes-Oxley and Gramm-Leach-Bliley.
The actual user tools include dashboards, automated charts and mapping. The maps provide a visual view into risk profiles, KRI metrics, compliance issues and trending analytics that can be used as part of decision-making. There will also be a centralized information repository with role-based access to all governance, risk and compliance documentation, such as policies, risk-control assessments, regulatory examination documentation, internal asset data, vendor contracts and certifications.
"In the past, banks have implemented specific technology solutions for compliance, audit, enterprise risk and operational risk. While these point solutions may deliver value, the goal is to implement solutions that help us identify and manage risk across multiple business functions," Palm says.
