Governance, risk management, and compliance (GRC) are corollary disciplines that ensure that organizations can fulfill their business objectives in a responsible way. GRC is best understood and managed under one umbrella since they each contribute and work together with the other disciplines.

Together, they impact an organization’s success or, at a minimum, help prevent disruption by addressing the following purposes:

  • • Risk management is about predicting and managing risks to achieving business objectives.
  • • Governance defines people and processes that manage both risks and business functions.
  • • Compliance is ensuring adherence to internal company policies and governance frameworks, as well as external legal and regulatory obligations.

Although GRC as a concept is applicable to any industry, it has heightened relevance in the global financial services sector, which has come under ever changing and stringent regulatory requirements as a result of its impact on the public and national economies.
Capital adequacy, market liquidity risk, and stress tests are particularly stringent for Systemically Important Financial Institutions (SIFIs) or “too big to fail” banks. Financial companies have an urgent need to focus on principles of risk data aggregation and reporting framework described under BCBS 239 (Basel Accord) and to fulfill the requirements of regulations like Comprehensive Capital Analysis and Review (CCAR), European Market Infrastructure Regulation (EMIR), Markets in Financial Instruments Directive (MIFID), Dodd Frank etc.

Beyond regulatory requirements, these companies must also internally manage the risks to ensure survival and profitability by segmenting and managing risks as operational, financial, credit, market, information security, technological, and other sub-categories.

One large North American financial holding company initially took an approach which involved using vertically integrated, specialized risk reporting solutions under the direction of a major consulting firm. But after months of effort they were still struggling. As requirements kept changing, the entire vertical stack of calculations and reports had to be repeated, resulting in huge effort and delays.

The revelation was that 80 percent of the work was in the data layer with hundreds of databases and sources of information, siloed across organizations and functions, that still posed a significant challenge of “wild west of data” even after months of effort.

To resolve this, they embarked on a new approach to GRC which involved making data the foundational layer and creating a reliable single source of truth that is consistently defined, of high quality, and easily accessible and available for both internal and regulatory use, with commensurate governance, lineage, and security.

To do this efficiently and retain flexibility, they employed data virtualization technology - with its inherent data abstraction, integration, and data services capabilities - to create a layered approach to data assets. The first layer they created was Canonical Views of Line of Business (LOB) data from original sources and data warehouses without further replicating them.

The next layer had Business Data Views combining LOB Data for specific functional needs, management control, and regulatory reporting needs.

Alongside the architecture and technology implementation of data virtualization, there were parallel efforts that focused on maturing data management and governance practices. The results were a dramatic reduction in time to develop reports, reusability of calculations and data views, and resulting accuracy and timeliness in meeting regulatory obligations.

Further, they found significant benefits to the business such as faster integration of acquisitions, risk analytics, and opportunities to cross-sell customers across LOBs. After several failed attempts at point solutions, this SIFI bank achieved great success with the data virtualization approach and went on to become an award-winning organization for its data management practices.

Pharma, healthcare and energy are some other industries with challenging GRC requirements. Life Sciences companies must collect numerous sources of data in each phase from drug discovery, clinical trials and regulatory approval before finally reaching go-to-market.

Data silos such as basic scientific research, internal trials external Contract Research Organizations (CROs) and Bio-Sample repositories, Physician CRM solutions, and other sources can be organized by data virtualization into canonical data services such as Disease, Molecule, Drug, Trial, Investigator, etc. This makes regulatory compliance and approvals move faster, which could potentially result in millions of dollars in savings in both drug development costs and time-to-market competitive advantage.

Another major benefit of virtualized data services in healthcare is being able to expose just the needed data elements to external collaborators with full governance and compliance with HIPAA regulations. A major university research hospital found it could significantly improve patient outcomes and expedite the discovery of new diagnostic tools and treatments using a "bench-to-bedside" translational medicine approach and collaborating with multiple pharma companies.

The patient and clinical data were obfuscated, while the common data model used to share information securely across companies helped speed up the trials. The same patterns can be found in Oil & Gas exploration, whether it is reporting on ground water contamination (external) during fracking operations, real-time drilling information analytics (internal) or Single-view-of-Well (both). Lastly, it can be used in Manufacturing and/or Transportation scenarios when reporting on passenger safety.

While each industry has several domain-specific, integrated and point solutions for GRC they often do not address the underlying data problem. Data virtualization addresses precisely this challenge with a data management approach that is at once holistic, light-weight, and agile to evolve as the organization’s needs change and serves other applications and users with reliable source of truth data.

Data virtualization enables unified data governance by creating a Virtual Data Services Layer across internal and external data sources, while leaving the source data where it is.

A strong data management function sponsored centrally by the chief data office builds guiderails of standards, access control, certified provisioning points, and strong data governance. However, access to data is decentralized in a self-service model for business users, reporting and regulatory interface teams.

This approach minimizes replication saving millions of dollars, but more importantly reduces the time and complexity to reach the objective of enhanced GRC.

Industry leaders in every field are adopting data virtualization in the context of GRC to tackle the challenges of internal risk management, regulatory reporting, and enhanced agility in the face of changing business needs. In fact, we saw one financial company’s journey from chaotic data to unified GRC data and key takeaways from their experience. This could be a lesson and guideline for your own GRC data management journey.

(About the authors: Suresh Chandrasekaran, is senior vice president at Denodo Technologies. He is responsible for global strategy and growth initiatives in addition to operational leadership in other areas. For more information visit Indy Sawhney is a partner at Mindtree and anchors their banking and financial services clients in North America. Visit

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access