Governance Risk Compliance

What challenges do banks and insurance companies face?

The financial institutions and insurance companies are subject to pressure to change from two sides. On one side stands the ever-increasing networking and digitalization, on the other new regulations, laws, and enhanced regulatory requirements. For banks this is done by BAIT and SREP, for insurance companies by VAIT and for both of them by the DSGVO.

With the "Banking Supervisory Requirements for IT" (BAIT), BaFin has specified the "Minimum Requirements for Risk Management" (MaRisk) in the area of IT risks. With the "Insurance Supervision Requirements for IT" (VAIT), it now also includes insurance companies and specifies for them the provisions on business organisation in the Insurance Supervision Act (ISA). Both BaFin requirements include the topics IT governance and information risk management.

The ECB also specifies "homework" for financial institutions in the "Supervisory Review and Evaluation Process" (SREP). The SREP affect risks due to information, communication, and technology (ICT). In general these identified deficiencies must be remidied within a certain period of time.

The General Data Protection Regulation (DSGVO) applies to almost all areas that processes personal data. For instance, it applies to payments or the processing of employee data.

The "defence" has to stand firm

It has become increasingly complex to carefilly coordinate tasks and ensure that risk and control processes work. This is where the "Three Lines of Defence" model comes into play – scalable and independent of the size, type, and complexity of organizational structure.

The first "line of defence" is formed by all operative units that provide service, support, and control processes for the bank. The units are also responsible for all processes, functions, and services you have outsourced. They provide evidence for the effectiveness of the operative control system to the second line of defence in terms of the target they set.

The second line of defence defines mandatory targets – both for the internal organizational units of the institute and for outsourced processes, functions, and services – also ensuring the quality of the information provided in the first line.

In addition, the second line is responsible for checking the operational effectiveness of the implemented operational control system.

The Internal Revision – the third line of defence – audits the functionality of the internal control systems of the first and second lines of defence in terms of their design and operational effectiveness.

What our experts can do for you

The market rewards companies that know how to handle risks. For good performers, the right risk identification and assessment measures are indispensable. Our consultants help you find them.

They identify and assess the relevant regulatory framework conditions, define a suitable governance, and develop the guidelines and policies to establish a compliance management system. In addition our experts help you control the operational risks.

They design and operationalize processes and pay attention to your specific organizational framework conditions for structure and processes. They implement control processes on an integrated GRC platform (e.g. RSA Archer Suite) and connect already existing systems. This way you can be sure that regulatory requirements are met in a manner that is easy on resources, efficient, and economical.

How we work for you

syracom employs …

an integrated approach. This makes it possible for stakeholders to forecast risks more accurately and capitalize on the great opportunities of their company. For this reason, we offer you a GRC approach with integrated audit, risk, and compliance management activities.

operationalisability. Regulatory requirements increasingly take the form of structural interference in and measures affecting the design of the GRC processes in companies. Our consulting approach helps you find answers, recognize connections, and develop activities for a balanced and realizable overall concept.

tailor-made solutions. We work with you to make sure that your employees use the respective GRC applications on an integrated platform and that they don't just collect dust as "mass-produced product".


Call me or write me

Alexandra Krasina

Head of Business Unit
Governance Risk Compliance

Phone: +49 6122 9176 0