The unprecedented and catastrophic failure in risk management by industry participants, regulators and governments over the past 18 months has put the spotlight on the way that banks handle risks and their governance and compliance capabilities. It must also lead to a revolution in the way that the three elements operate, and demands closer integration, according to Nick Gibson, Head of Compliance Solutions at RiskLogix.
Gibson, former head of ABN AMRO wholesale markets global compliance, believes that a common strategic approach involving governance, risk and compliance will lead to the end of the “silo” approach that firms currently take. It also implies a new way of working for compliance and a leadership opportunity. He said that GRC is the next evolutionary step beyond enterprise risk management.
Within GRC, the governance strand focuses on the way that the entity is structured to deliver on its chosen strategic and business objectives, the risk strand targets risks to achieve those objectives, and the broad compliance element maintains the policies and monitors the controls that frame the delivery of the objectives. There are two other important elements, he said: constantly looking at the wider environment to anticipate business change and model potential new scenarios; and the assurance work typically carried out by internal or external audit to make sure processes are working.
“Risks interact. If I am sitting on the board and I have responsibility for a particular set of businesses then I want to know as close to real time as possible what my biggest risks are — irrespective of source — which risks are changing and becoming more dangerous, and which are becoming more under control,” he told Complinet.
In firms that still take a silo approach to risk management a chief executive gets his market risk by reading a market risk report, his credit risk by reading a counterparty risk report, his IT risk by reading an IT security report, and his compliance risk by reading a compliance report, with no real scaling for comparison. Senior managers should instead be worrying about what the biggest risk to their business objective is at any particular point in time, the specialist said.
“If you look at risk across the silos then you rapidly realise that you have different silos approaching similar risks in uncoordinated ways, or failing to share information, which is a waste of effort, or you have got areas where there are particular risks that none of the silos are looking at properly.”
On a practical level closer integration can initially be fostered through mandatory information exchange, as well as a convergence of working practices. There will be inevitable growing pains, but these will be planned for and overcome, he said.
By taking a more integrated approach across the three elements, and costing risks and controls, businesses can be smarter in the way that they employ resources, Gibson said. If a firm is spending very little on trying to contain a risk that could potentially cost them a great deal of money or spending a great deal on offsetting risks that could potentially cost very little, they are not being smart. This presents an opportunity for compliance, said Gibson. He said that compliance needed to look more closely at the way risks evolve and develop and the performance of controls. Compliance officers needed to be fleeter of foot and put more resources into areas where the risks are greater or more volatile.
“Compliance needs to become more risk focussed, not so much with the premium advisory work which clearly doesn’t lend itself to systemisation, but with a lot of its process-based work on monitoring and on PA dealings and registrations for example. Compliance needs to think about what the risks of these processes going wrong are and what is being spent to get it right. It needs to be proportionate,” he said.
“The concept of compliance risk appetite is no longer heretical,” he added.
This approach means that compliance can become more credible and business-orientated in its resource discussions with board members, especially when it is devising budgets. A properly prepared budget or pitch includes a “shopping list” approach, Gibson said. Compliance costs the specific activities and risk areas it covers. Where there is pushback on the proposed numbers, the board then needs to be invited to choose the specific risk areas that they want less resource devoted to. It certainly gets them thinking, said Gibson.
Taking the lead
The GRC approach also presents compliance with an opportunity to take the lead in driving the change and subsequent convergence on behalf of the board. “It is logical for compliance to take a lead because compliance is used to managing change, and where there is a risk break down there is likely to be a regulatory impact and therefore a compliance intervention,” he said.
Gibson added that it was essential to get senior managers ownership for adopting a GRC approach. Implementation of the approach requires someone at board level, preferably the chief executive, to take charge and drive it forwards. Ultimately recent events had exposed the fact that many in senior management positions at firms had failed to genuinely understand what risks their institutions were taking. This has to change, Gibson said. The current approach had failed globally and a new holistic approach was the only rational choice. The business benefits are potentially enormous, he said. Apart from the obvious cost benefit, firms would be better placed to identify and act on upcoming opportunities and risks ahead of competitors.
“Compliance needs to get smarter. Just because there is a rule that needs to be followed it doesn’t mean that you need to devote disproportionate time, resources, and expertise, to achieving it if the risk of not achieving it doesn’t hurt you that much. Smarter and more focussed thinking is needed.”
Interview first published on www.complinet.com on 27th October 2008.