Governance, risk and compliance: corporate sustenance or snake-oil?

There are fundamental questions around GRC that do not yet have consistent answers, however, such as what GRC is, how it advances the strategic risk management framework, whether the benefits are real or illusory, and how the tools help.

GRC is, first and foremost, a particular organisational philosophy. It requires absolute commitment at the most senior level for it to have a chance of working.

Evolution
GRC is the current stage in an evolutionary progression around how organisations protect themselves and their stakeholders.

The three stages are:

• Creation of risk oversight functions that work alongside the business and assist in the management and mitigation of types of specialised risks — market, credit, IT security, corporate security etc. The drawback to this first model was a form of tribalism — languages and approaches differed, valuable information transfer between tribes was almost nonexistent, and duplication and gaps were inevitable. This caused the next stage in the academic evolution of risk management.
• ERM came to prominence in 2004 under the Treadway Commission/COSO framework, and was designed to be “applied in strategy setting and across the enterprise to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.

The simple application of ERM was to break down the walls between risk management silos, to enable a more holistic approach to identification, testing and management of risks to the entity as a whole through consolidating risk function outputs. This was bolstered by the creation of the operational risk management discipline within Basel II, and the recognition of compliance as a risk management function (often with the associated change in reporting line).

The drawbacks to this approach in practice tend to have been:

• Tactical (rather than strategic) implementation.
• Patchy success in securing C-level sponsorship and accountability.
• Unanswerable questions around return on investment.
• The exclusion of reputational and strategic risk under Basel II.
• Often, the self-interest of tribal risk functions.

The firms which have come closest to achieving ERM in practice have, however, secured significant commercial and regulatory benefits. This was demonstrated in the G8 Senior Supervisors’ Group’s March report on risk management practices during the recent market turbulence.

To take this from being a tactical initiative to a strategic one, a further evolutionary stage was required:

• Governance, risk (management), and compliance, the main differentiator of which is that it draws in the concerns of the broader group of entity stakeholders, from the board and staff to shareholders, customers and society at large. It starts from the shaping and delivery of the entity’s strategic business objectives at the most senior level (within the context of the entity’s values and standards as expressed through policy) — the governance term. The approach also grants a clear perspective on whether activities add, preserve, or erode value. Risk and compliance are discussed below.
• The particular drawbacks to this approach are that, at present, it is a largely theoretical concept that is open to multiple interpretations. Introducing a full GRC approach will necessarily entail a period of carefully managed chaos while the organisation agrees and adapts to the change, and that it requires unbroken focus on progress and alignment at the most senior level, where time is at a premium.

GRC — the wider picture
Governance, risk and compliance is clearly about more than these three specific components. To deliver, it must run throughout the entire organisation, from top to bottom and side to side.

Fundamentally, GRC first requires engagement at board level to identify and mitigate the threats to the achievement of the chosen strategic objectives, irrespective of the source or nature of the threat, and direct resources both to deliver the objective and to manage those risks. Without that continuing commitment it must fail.

Risk management and compliance activities then share a unitary focus on dealing with threats to those strategic corporate objectives, through addressing strategic business unit objectives. This will start with the preservation and enhancement of the brand through effective and efficient resource management and prioritisation.

Risk management in our GRC definition — identification, assessment, measurement and mitigation — brings in the activity and controls that are directed at managing the full spectrum of organisational risk, regardless of origin — from physical and IT security, HR and supplier risk, to compliance, anti-money laundering, and observance of international sanctions to the more traditional market, credit and operational risk functions.

Similarly, compliance in this definition — advisory and monitoring — extends beyond the traditional purview of the compliance function, to encompass compliance with internal policy and external law and regulation that affects all spheres of the entity’s activities, from employment and data protection regulation to securities and banking law to internal sustainability and external environmental obligations.

For further clarity in delivery of the new model, two other factors and functions need to be addressed specifically within the definition, GRC++. The first is assurance (predominantly internal control environments and their interaction with audit, which operates independently of the other control functions and with a direct line into non-executive or supervisory board members).

The last point is horizon scanning — the responsibility of all business and control functions to look beyond the prevailing situation to possible future events, and thereby to identify new risks and opportunities in good time. The function obviously includes scenario and stress testing, but with a view also to introduce what may currently appear to be irrational scenarios and stresses together with original, “what-if” thinking.

Each point on the star connects to each of the others, which illustrates their co-dependencies and relationships. For example, as part of its governance obligation, the board has a continuing obligation to scan the horizon to ensure that strategic business objectives remain relevant and achievable. Internal audit provides independent verification that agreed risk processes are working, and so on.

Implementing a GRC++ approach — challenges and benefits
Bringing a practical GRC design to fruition within a financial services organisation requires:

• continuing resource commitment at the most senior levels;
• the creation and communication of a common set of overarching strategic business objectives which take into account the needs and wishes of stakeholders, including regulators;
• the creation and communication of relatively simple policy statements which set out the parameters within which the strategic business objectives will be achieved;
• the consolidation of a number of varying information outputs across businesses and control functions into a comprehensible set of common elements, to create valuable qualitative indicators;
• the application of financial modelling to the inputs and outputs, to identify the cost and value of risks and controls and enable rational resource allocation;
• the continuous application of expert human judgement to all consolidated information;
• effective and frequent internal communication of information, obligations and expectations;
• cohesion and cooperation rather than partisanship throughout the support functions; and
• absolutely rigorous planning and progress monitoring to integrate the new approach across all business and control areas.

The scale of effort required to bring this about is obviously significant. At a time when financial institutions are seeking to shrink their cost bases as fast and as far as possible, any programme with no immediate bottom line impact, however worthwhile, is likely to end up in the “pending” tray.

Why is GRC still worth the investment?
The financial services industry globally is undergoing a largely unforeseen seismic event, calling existing governance, risk management and compliance standards into serious question, at both financial institutions and regulators.

It is clear, not least from the SSG report, that far better coordination and communication internally would have ameliorated the worst effects for those institutions that have suffered, and are suffering, higher impact from the global credit and liquidity drought. Which of the banks with sub-prime assetbacked securities portfolios or origination activities were receiving information about default trends from their residential mortgage operations to assist in valuation, and how was the data factored in?

With economic indicators worsening almost across the piste, and in particular for financial services and banking, it seems inescapable that the current environment will continue its downward trend: consequently, the impact on financial institutions during the next couple of years of failing to manage risk effectively or failing to anticipate future problems crystallising will be exaggerated in this atmosphere.

Effective leadership and risk management approaches become Darwinian: they are the crucial measure for identifying those firms which will emerge from this cycle in best shape. This is the first main argument in favour of the GRC++ approach.

The second is that, despite the far-reaching nature of the contemplated change, and the commitment of capital, there are financial arguments in its favour:

• A GRC++ approach significantly reduces resource overlap between support and control functions, and enables the identification of redundant or poor value processes.
• This in turn leads to cost saving, or reallocation of resource to generate better value.
• Running the organisation in this way leads, as the SSG has demonstrated, to lower levels of financial losses that arise from the crystallisation of risk events.
• It also enables the earlier identification of future business opportunities, where early adopters tend to generate higher revenues.

There is no particular reason to design and implement complex new technology tools with huge data warehouses; the GRC++ approach should be supported by relatively easy modifications to existing risk management tools and systems, with a simple overlay. The crucial point is that to achieve it, the firm is consolidating and filtering multiple base system outputs, not multiple base systems.

In simple terms, a systems tool to support this should be capable of capturing and linking:

• corporate and business unit strategic objectives;
• summary statements of policy that support them (which include, as a matter of course, the internal translation of regulatory requirements);
• risks — including compliance — which threaten their delivery;
• the controls — including compliance monitoring — which mitigate those risks; and
• filtered information from across base systems which impacts on the risks and controls.

The tool should also model financially all risks and controls, undertake stress/scenario testing, and provide senior managers with simple, easy-to-use consolidated graphical and numerical outputs to enable quick, informed and focused business decision-making.

Inevitably, the final question must be, is the industry ready to move to a governance, risk and compliance approach? It is clear that the majority of the industry has not yet implemented comprehensive ERM approaches, despite their obvious value. If the map now exists to drive to GRC++, however, why stop off at ERM-ville on the way? Clearly the possibility exists for any firm to evolve straight to the new approach if it chooses to, and the early implementers who see this as a rational business decision will have the resultant platform for growth sooner.

First published in Complinet ‘Senior Management Responsibility’ August 2008