Governance, risk & compliance sponsored roundtable: Taking a holistic approach

grc010

A panel convened by Operational Risk & Regulation talks candidly about how the concept of governance, risk & compliance has been slow to gain traction in the industry. But, despite the challenges of implementing a holistic framework, the benefits can be considerable

The Panel
Tom Bolger
, Vice president of global marketing, Methodware
Isabelle Chevret
, Corporate marketing and communications director, MEGA International
Matt Kimber
, Chief risk officer, Marsh
Sean Sullivan
, Senior director of product management, Actimize
Loretta Wickenden
, CEO and president, co-founder, Latilla

The financial crisis demonstrated all the value of having an enterprise view of the risks present in a financial services organisation. Regulators and politicians, as demonstrated in one of the first regulatory reports to be released following the financial crisis from the Senior Supervisors Group, are united in their desire for all firms to have a risk management system in place that cuts across risk silos and business lines. However, opinions vary widely over the best system to adopt. Enterprise risk management (ERM) in all its guises is making a comeback, but governance, risk & compliance (GRC) too can help firms address this very pressing need. However, in the past few years it seems that the concept of GRC has been misunderstood by financial services firms. Too often it has been misunderstood as the technological answer to creating a truly integrated approach to managing a financial institution. The reality is – although GRC technology and systems can facilitate convergence in an organisation – without the accompanying change management programme, it is doomed to failure.

GRC is still a young concept and it is revolutionary in the sense that its ultimate aim is to establish a fully integrated approach to risk management, governance and regulatory compliance of a financial institution. Such an ambitious concept that involves buy-in from several traditionally siloed departments within a firm is likely to take some time to establish itself as a preferred method for organising a bank, for example. Parallels in the development of GRC can be made with enterprise resource planning (ERP). It too is an integrated computer-based system but, in this instance, is used to manage internal and external resources including tangible assets, financial resources, materials, and human resources.

Initially, ERP systems saw a rapid growth in sales, followed by a slump. Even today, 20 years on from when it was first developed and the concept is very well understood, many organisations are still not using this technology. It took many years for ERP to be accepted as a sound business and enterprise concept, and the same applies for GRC. Similar to ERP, GRC requires a change management programme with buy-in and contribution from many departments. Change management projects take time. Implementing a GRC framework is not easy, but enterprises that commit to the change management and integration required of GRC can reap tremendous benefits.

The benefits of having an integrated approach to risk are well known, but even ERM stalled in getting widely accepted but now, with regulatory pressure, is gaining traction once more but, in the process, it is being confused with GRC. Both have their own challenges but with a little perseverance, and continuing regulatory pressure, the concept can gain more ground with financial services firms.

How does implementing a holistic risk management framework such as GRC or ERM benefit a financial organisation?
Isabelle Chevret, MEGA International: A holistic approach to risk management consists of taking into account all the risks that impact an organisation; for example, credit, market, compliance, operational, ethical, reputational risks and their interdependencies. Such a global view on risks breaks down the siloed approach to risk management that so often results in duplicated control systems, redundant efforts and increasing costs. A holistic approach also requires closer collaboration and better communication between those involved with managing risk, thus enhancing information sharing and transparency. It gets people talking to each other about different risks and helps them understand the business strategy context of risk, its impact on the business and how resolution can benefit all. Such an approach allows business executives to get the right information and data, and to turn risk awareness into an opportunity to improve business performance. Also, more and more rating agencies have been considering ERM in their rating process, so a sound approach to risk management is beneficial to the enterprise in more ways than one.

Matt Kimber, Marsh: The principal benefit of an effective risk framework is the ability to grow with more confidence and adapt to changes in the organisation’s operating environment proactively. Organisations that plan for change, execute well and resolve the inevitable issues with pace and confidence tend to succeed against their competitors. There are all sorts of other ways that benefit the organisation – some soft, some quantitative. For example, a cohesive framework can help bind the silos of a business together through what we call risk interlock forums through to improving the understanding of your organisation’s capital management strategy.

Tom Bolger, Methodware: A holistic framework provides the standard efficiency benefits to a financial organisation – less duplication of effort and more consistency in approach between business units. Additionally, the competitive benefits create better-informed decision-making and a clearer understanding across the organisation of the difference between a good risk worth pursuing and a bad risk to avoid.

Loretta Wickenden, Latilla: By providing consolidated reporting of disparate risks at the board level, holistic risk management (another term for ERM) helps an organisation identify and overcome obstacles preventing the achievement of its objectives. Armed with a consolidated view, the organisation can better align its risk appetite and strategy, identify risks and opportunities affecting different business units, reduce the number of surprise losses, make more informed decisions and achieve greater rewards.

Sean Sullivan, Actimize: Financial organisations that build a holistic risk and compliance strategy will benefit in two primary ways. Firstly, they are better able to manage and mitigate enterprise risk and regulatory compliance. This is made possible by collecting and sharing an enterprise-wide view of risks and regulations. Regulations are always changing and so is the nature of their enforcement within various jurisdictions. By effectively monitoring these changes, firms are able to understand where they may be out of compliance and make the best decisions on where corrective actions are necessary. Similarly, risks to an organisation can best be prioritised when viewed within the context of other risks the firm is exposed to. Such an enterprise view of risk and compliance enables decision-making in the best interest of the firm as a whole.

The second key benefit is that institutions are able to better control the costs of compliance and risk management, ensuring that assets are being applied in the right place. This is particularly true in the case of managing risk. When a firm optimises a domain of the business they must allocate funding to each such domain to manage the risk. This would seem prudent as each area manages a variety of risks, such as high risk of fraud on certain types of financial transactions and a lower risk of fraud on others. However, when viewed across the enterprise, these high-risk transactions may actually be of very low risk and value, such that any investment in mitigation could be better deployed elsewhere. Therefore – whether investing in fraud-detection technology or experts to investigate fraud – holistic approaches can be used to better deploy and focus assets.

One of the main reasons the popularity of ERM fell away was due to the misunderstanding of exactly what it entails. How would you define ERM?
Sullivan:
ERM deals with effective management of risks across the enterprise and managing, or responding to, those risks. The measurement and management processes are then optimised based on enterprise-wide needs and not those of a specific business unit, product or other subset of the whole. For some firms, the need to provide a measure and prioritise risk across the enterprise can involved an unacceptably high cost.

The high cost can be attributed to the frequently large conversion projects that seek to replace all existing risk management systems with a monolithic application. Firms sometimes simplify the pulling together of information into an enterprise view by consolidating into a data warehouse while maintaining existing systems. While this second approach can reduce costs and facilitate a better view of enterprise risk, it falls short in being able to provide integrated feedback and control mechanisms for effective governance and management of risk.

Mistakes from recent history can still be easily repeated today if firms are not careful in selecting an appropriate ERM technology framework. Effective modern systems for ERM are more flexible today, providing options for incremental deployments and support the full closed process of both measuring and managing enterprise risk.

Chevret: Many perceived ERM simply as compliance and insurance requirements enforced by regulations. This misunderstanding was heightened by the financial crisis and the increased pressure consequently felt from regulators and rating agencies. Yet ERM is not only about being compliant. This holistic approach must seek to leverage compliance requirements to drive improvement, protect assets and create value for the company. ERM’s main objective is business performance. ERM adopts a holistic approach to manage risks by taking into account all the risks that impact an organisation and their interdependencies. It should provide the means for management to make strategic decisions by defining the optimum balance between risk exposure and sustainable performance. The key success factor of any ERM implementation is the sharing of a common understanding of risk by all those implicated its management. In other words, it’s the successful adoption of an enterprise risk culture.

Kimber:
I don’t think that [the definition of ERM or GRC] is the problem. The definitions for GRC and ERM are not that different. They might use slightly different language. As an example, any ERM framework will include a formal governance structure that incorporates board, risk and audit committees. Most ERM frameworks incorporate legal and compliance risks under operational risk. So the practical difference between them is small and potentially a theoretical point.

The more important point is that each organisation builds an ERM approach tailored to its own needs and culture. Understanding how the risk perspective can help shape the key decisions in the firm and what information is required to do that are fundamental. Equally fundamental is how well a firm understands how to use the chief risk officer (CRO) role. These elements are much more likely to have led to the demise of ERM initiatives. In my role as CRO of Marsh I provide the umbrella for all risks, which includes provision for governance, risk appetite, new product approval, etc.

Bolger: Different organisations have different definitions of ERM, but all successful approaches have a common core: the establishment of a corporate-wide risk culture with consistent definition, measurement metrics and management behaviours applied to risk management and control activities.

Wickenden: We define ERM as a continual process of identifying, classifying, analysing, managing, assessing and reporting risks and opportunities related to the achievement of an organisation’s objectives. It consolidates information from each risk function such as credit, market and operational risk management to provide a unified picture and improve the organisation’s ability to manage risks effectively.

With so many vendors stating that they have a definitive GRC platform when often they are simply using it as a headline to sell a suite of products, you can forgive op risk and compliance managers for being confused. How would you define true GRC?
Chevret:
Based on our customer experience, GRC clearly doesn’t mean the same thing to everybody. A few years ago, GRC was basically perceived as a way to combine siloed initiatives within one global approach. Today, the GRC model seeks to implement a holistic approach, targeting first business performance and then correcting the technical problems within each department.

Much of the confusion around GRC lies in the notion of ‘governance’, which changes from one organisation to the next depending on its structure, culture, risk strategy and context. Today’s challenge for GRC vendors resides in the capacity to offer a flexible and modular GRC platform that can fit specific needs. A GRC system should help companies maximise business performance within the boundaries of legal restrictions and risk thresholds by facilitating the establishment of an adapted corporate governance system.

Sullivan:
From our perspective, there is no such thing as a definitive GRC platform that can handle all of the varied GRC requirements. The key to any platform is that it can be flexible enough to leverage existing firm assets while supporting the changing business demands made by the variant risk and compliance around the world.

Bolger: GRC is an integrated approach encompassing risk and regulatory compliance within parameters arising from board-level guidance. ERM can be a subset of GRC.

Kimber: Again, personally, I do not see a big difference between them. I would say Marsh runs an ERM framework, but it explicitly incorporates compliance risk and the roles that the compliance and audit teams undertake. There are also well-defined, formal governance arrangements.

Effective risk systems supplied by vendors will not be pre-determined by whether an organisation stipulates it is an ERM or GRC firm because the focus is similar. Effectiveness will be judged by whether the system is easily configurable to whatever flavour risk management framework is in place and its ability to cater for risk assessment, control assessment, event reporting, etc., in an integrated way.

Wickenden:
We define GRC as a combination of people, business processes and technology, working and communicating together in a sustainable, efficient and streamlined manner. GRC permeates throughout the organisation from the board’s directives and governance, through senior management’s strategy-setting, to day-to-day management and control.

What are the benefits of ERM and GRC and how do they compare to each other? Which approach would satisfy regulators’ demands while also delivering most in terms of efficiency?
Wickenden: ERM and GRC are closely linked and together can lead to improved identification and management of risks, much stronger compliance with rules and regulations, and improved co-ordination throughout the organisation. The implementation of both approaches will provide an organisation with the ability to align its risk appetite and strategy, enhance its risk-response decisions, recognise and take advantage of opportunities, monitor and manage potential risks and minimise costly surprises. The combined approach will allow the organisation to build a complete risk management picture. Internal and external auditors, compliance officers and risk managers will be able to focus on the same risk, using the same data and terminology. All members of the organisation are responsible for the management of risk. From a GRC perspective, management is accountable to the board, which provides governance, oversight and guidance and sets the overall culture and tone. From an ERM perspective, the organisation’s management team is responsible for establishing and maintaining strong risk management.

Bolger:
GRC is more complex to implement and maintain than ERM, but the efficiency benefits can be significantly greater due to overlap between compliance and risk. A successful GRC approach provides more long-term value to an organisation from a regulatory perspective, but success is a much greater challenge – there are many more moving parts than in an ERM approach.

Chevret:
The GRC approach helps companies establish an adapted corporate governance system by integrating internal audit and compliance activities with risk management in a common and shared system across the company. ERM is an integral part of this global system as it aims to create business value through risk management activities. Both aim to increase transparency and facilitate business decisions by co-ordinating information. The issue is not so much an either/or scenario as much as it is the ability to understand your company context in order to address its specific needs.

Sullivan:
We view ERM as a subset of an overall GRC programme, but either can exist without the other. The fundamental distinguishing element of GRC from ERM is that not only does it enable an enterprise view of risk and compliance, but it enables policy decisions to be made and supports firms’ processes for driving ‘operationalisation’ from the top down. Firms lacking GRC handle this aspect in a more piecemeal and manual way. ERM can still be effective without this aspect.

Some firms that have attempted to implement a GRC framework have fallen at the first hurdle, more often this is because they underestimated the cultural change that needs to occur alongside the technology change. What are the main challenges firms need to overcome and how can they ensure this doesn’t happen to them?
Kimber: I would agree with the statement. Understanding how risk management can help the organisation, breaking corporate inertia and instilling an environment where all parts of the organisation are risk-confident is a journey. A system might, or might not, be part of that journey. The natural building blocks would be:

  • To understand the objective of the framework, what do you want from it.
  • Structure the approach so it is aligned to the organisation and how it is run. For example, the finance risk category can be sponsored by the chief financial officer, the identified risks and associated capital held for them is overseen by them. The finance risks are presented by them at the risk committee.
  • Being creative about how to communicate about the framework is important, and the communication has to be continual and changing.
  • Find any opportunity to work with the business at the early stage of product development or strategy definition or issue resolution. A framework is 20% of the CRO’s role, 80% is being in the business working the challenge.
  • Continue to adapt, learn and be proactive.

Bolger: The cultural change is by far the biggest challenge. Aligning functions that have similarity in process but a fundamental difference – the outward-facing nature of risk management, the inward-facing nature of governance and the all-encompassing nature of compliance – is not an easy prospect. To overcome this, corporate buy-in needs to be both top-down and bottom-up. Executives need to lead by example, and business units need to realise that GRC activities are a key part of their daily activity, not a nuisance to be set aside or hurried through. Applying a broad GRC framework gradually rather than all at once provides quicker wins and showcases to convince other areas of the tangible benefits it can provide.

Chevret: The main challenges in implementing a GRC framework resides in the adoption of a common risk understanding, language and methodology. Effectively, it is the human factor. A GRC implementation requires involvement from the entire organisation. Commitment is more easily attained if its benefits are demonstrated at all levels of the organisation. Top management must prioritise risk and governance, and integrate it into the company strategy and objectives. In order to succeed, the company must allocate the necessary resources, such as clearly defining the roles and responsibilities of each stakeholder, and then holding them accountable. The company needs to define its short-term objectives, be it Sarbanes-Oxley compliance, audit assignment or risk management, without forgetting to consider its long-term objectives, thus building a consistent system that will support company evolution and business performance. The success of a GRC framework implementation relies on a step-by-step, value-added process. Many companies recognise the need to invest in some sort of GRC solution, whether internal resources or external help, such as consultancy services or a tool embedded with a methodology. At the end of the day, again, these initiatives need to be embraced by all.

Sullivan:
What we have seen is that firms taking such enterprise approaches need to understand and educate their employees to realise that, when optimising for the whole, you sometimes are not going to be as efficient in the parts. Take, for example, prioritising risk-mitigation strategies. One business unit may find that it has a high risk of fines and reputational damage due to lack of compliance with an upcoming regulatory change. Yet the firm as a whole is aware of existing deficiencies in another business unit. With finite resources available to tackle these two obligations, the firm can make the best allocation of resources by funding a project to correct existing deficiencies. The unit facing upcoming regulatory changes will not be addressing its highest-priority concerns, but the action taken will be in the best interests of the entire firm.

Additionally, as an enterprise framework is deployed, it rarely fits perfectly with all existing processes in different areas of a company. There will be terminology differences, procedural differences and, frequently, large amounts of new information from which knowledge workers can gain an insight. None of this comes without a cost, but a growing number of businesses continue to recognise that such costs are manageable and outweighed by the benefits to the firm as a whole.

Wickenden:
It is inevitable that the introduction of large-scale new systems or processes will be met by obstacles, concerns and challenges. Organisations often have multiple business units and each has its different ways of operating. This leads to the lack of a unified view of risk and compliance, duplication of activities with the associated increased costs, and lack of scalability from an enterprise-wide perspective. These problems are compounded when seasoned professionals who are accustomed to making their own decisions for their own units are suddenly faced with collaborating within and across business and functional lines. The existence of silos means there will be multiple interpretations of risks, processes, policies and procedures: time needs to be set aside to arrive at a common language, to address deviations and conflicts and to arrive at a standardised suite of guidelines, policies and procedures. The existence of silos also gives rise to differing departmental priorities. One department’s recent poor audit report might make the adoption a particular policy or previously undocumented procedure seem vitally important, while another department might view it as relatively unimportant. Strong project management will be needed to ensure that the whole implementation is not derailed until individual issues are resolved.

The implementation of such a framework needs both a bottom-up approach to encourage collective buy-in and visible top-down support from senior management to ensure that published deadlines are met and budgets controlled. It is important to involve representatives from all departments from the very beginning of the project and to provide them with a clear vision, a road map and regular milestones and updates to highlight benefits and maintain momentum. Representatives from various departments and business units such as trading, credit risk, market risk, operational risk, operations, financial control, credit, legal, IT, internal audit and compliance can all play a vital role in the introduction of such an important initiative. They can evaluate the risk management process, give assurance that risks are being evaluated correctly, facilitate the identification, classification, analysis, assessment, control, measurement, monitoring and reporting of key risks, assist in the realignment of departmental priorities, assist process owners in understanding, designing and documenting controls, and champion the existence of the framework. By defining clear and obtainable objectives, involving the right people, defining a common language and setting a realistic timeline, the organisation will be able to improve the quality of compliance and risk information, prevent duplicated activities thereby reducing costs, and implement a framework that will continue to adapt to meet the ever-changing landscape of risk management.

 

Tom Bolger, Vice president of global marketing, Methodware
Tom Bolger is the vice president of global marketing for Methodware, which provides risk, compliance, audit and investigations software to more than 1,800 clients. With nearly 15 years of experience in financial services and risk management, he has responsibility for Methodware’s market strategy.

Isabelle Chevret, Corporate marketing and communications director, MEGA International
Isabelle Chevret is responsible for the overall positioning, branding and promotion of MEGA International solutions, including the development of the global marketing and communications strategy. She brings to MEGA 15 years of experience in international business development, operational B2B marketing, partner alliances and product marketing. Chevret has a unique expertise in enterprise architecture, GRC and business process improvement markets. Prior to joining MEGA, she held different marketing positions at ASG (Viasoft), Nat Systems and CGI-Systems (now IBM).

Matt Kimber, Chief risk officer, Marsh
Matt Kimber joined Marsh as chief risk officer in May 2009.  Prior to this he spent eight years with HBOS/Lloyds Banking Group, where he held a variety of executive operational and risk management positions. Most recently, Kimber was head of integration risk for the group during their merger with HBOS, having previously led the global approach to operational risk for six years. In a career spanning 17 years in the financial services industry, his experience is drawn from a selection of interesting roles such as co-founder of a risk-based consultancy and software firm, programme director across large groups and global risk roles.

Sean Sullivan, Senior director of product management, Actimize
Sean Sullivan is the senior director of product management at Actimize and is responsible for understanding the market demands for case management and platform technology. Prior to joining Actimize, he was senior product manager at Information Builders, where his responsibilities included integrated portal and reporting products with major ERP vendors. At Information Builder, Sullivan was also a leading member of the enterprise web security architecture team. 

Loretta Wickenden, CEO and president, co-founder, Latilla
Loretta Wickenden has over 30 years of experience in the financial industry, specifically in the area of operations management and has held senior management positions in financial institutions and financial software companies. Prior to founding Latilla, she was director of product management and product marketing at Infinity, a SunGard Company in Silicon Valley. During her career in the banking industry Wickenden held senior operations management roles at several major financial institutions including Swiss Banking Corporation International and as head of derivative operations at Credit Suisse Financial Products in London and New York.

Click here to view this article in PDF format

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here