Governance, Risk and Compliance: A New Approach For Turbulent Times

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

The unprecedented and catastrophic failure in risk management by industry participants, regulators and governments over the past 18 months has put the spotlight on the way that banks handle risks and their governance and compliance capabilities. It must also lead to a revolution in the way that the three elements operate, and demands closer integration, according to Nick Gibson, Head of Compliance Solutions at RiskLogix.

Gibson, former head of ABN AMRO wholesale markets global compliance, believes that a common strategic approach involving governance, risk and compliance will lead to the end of the “silo” approach that firms currently take. It also implies a new way of working for compliance and a leadership opportunity. He said that GRC is the next evolutionary step beyond enterprise risk management.

Within GRC, the governance strand focuses on the way that the entity is structured to deliver on its chosen strategic and business objectives, the risk strand targets risks to achieve those objectives, and the broad compliance element maintains the policies and monitors the controls that frame the delivery of the objectives. There are two other important elements, he said: constantly looking at the wider environment to anticipate business change and model potential new scenarios; and the assurance work typically carried out by internal or external audit to make sure processes are working.

“Risks interact. If I am sitting on the board and I have responsibility for a particular set of businesses then I want to know as close to real time as possible what my biggest risks are — irrespective of source — which risks are changing and becoming more dangerous, and which are becoming more under control,” he told Complinet.

In firms that still take a silo approach to risk management a chief executive gets his market risk by reading a market risk report, his credit risk by reading a counterparty risk report, his IT risk by reading an IT security report, and his compliance risk by reading a compliance report, with no real scaling for comparison. Senior managers should instead be worrying about what the biggest risk to their business objective is at any particular point in time, the specialist said.

“If you look at risk across the silos then you rapidly realise that you have different silos approaching similar risks in uncoordinated ways, or failing to share information, which is a waste of effort, or you have got areas where there are particular risks that none of the silos are looking at properly.”

In practice

On a practical level closer integration can initially be fostered through mandatory information exchange, as well as a convergence of working practices. There will be inevitable growing pains, but these will be planned for and overcome, he said.

By taking a more integrated approach across the three elements, and costing risks and controls, businesses can be smarter in the way that they employ resources, Gibson said. If a firm is spending very little on trying to contain a risk that could potentially cost them a great deal of money or spending a great deal on offsetting risks that could potentially cost very little, they are not being smart. This presents an opportunity for compliance, said Gibson. He said that compliance needed to look more closely at the way risks evolve and develop and the performance of controls. Compliance officers needed to be fleeter of foot and put more resources into areas where the risks are greater or more volatile.

“Compliance needs to become more risk focussed, not so much with the premium advisory work which clearly doesn’t lend itself to systemisation, but with a lot of its process-based work on monitoring and on PA dealings and registrations for example. Compliance needs to think about what the risks of these processes going wrong are and what is being spent to get it right. It needs to be proportionate,” he said.

“The concept of compliance risk appetite is no longer heretical,” he added.

This approach means that compliance can become more credible and business-orientated in its resource discussions with board members, especially when it is devising budgets. A properly prepared budget or pitch includes a “shopping list” approach, Gibson said. Compliance costs the specific activities and risk areas it covers. Where there is pushback on the proposed numbers, the board then needs to be invited to choose the specific risk areas that they want less resource devoted to. It certainly gets them thinking, said Gibson.

Taking the lead

The GRC approach also presents compliance with an opportunity to take the lead in driving the change and subsequent convergence on behalf of the board. “It is logical for compliance to take a lead because compliance is used to managing change, and where there is a risk break down there is likely to be a regulatory impact and therefore a compliance intervention,” he said.

Gibson added that it was essential to get senior managers ownership for adopting a GRC approach. Implementation of the approach requires someone at board level, preferably the chief executive, to take charge and drive it forwards. Ultimately recent events had exposed the fact that many in senior management positions at firms had failed to genuinely understand what risks their institutions were taking. This has to change, Gibson said. The current approach had failed globally and a new holistic approach was the only rational choice. The business benefits are potentially enormous, he said. Apart from the obvious cost benefit, firms would be better placed to identify and act on upcoming opportunities and risks ahead of competitors.

“Compliance needs to get smarter. Just because there is a rule that needs to be followed it doesn’t mean that you need to devote disproportionate time, resources, and expertise, to achieving it if the risk of not achieving it doesn’t hurt you that much. Smarter and more focussed thinking is needed.”

Nick Gibson

Interview first published on on 27th October 2008.

Related Posts

Why you need independent assurance in the Risk Management function
In the second in our series of blogs about independent assurance in risk management Tony and John explain why you need it. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Independence In order to fulfil its function, internal audit must be functionally independent from the activities it audits. …

Why you need independent assurance in the Risk Management function Read More »

How does Independent Assurance in Risk Management support 3LOD?
In our next series of blogs Tony and John talk about the need for Independent Assurance within the Risk Management process covering both internal and external assurance, audit and risk management oversight. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Independent assurance is the critical third line of …

How does Independent Assurance in Risk Management support 3LOD? Read More »

How do you match risk report type to audience type
In this blog Tony and John discuss the various types of risk reports and their relative merits for certain audiences.  Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  As we mentioned in our previous blog (What do all the numbers mean in risk reporting), different users have different …

How do you match risk report type to audience type Read More »