The risk and compliance industry is practically unanimous – 91.3% of respondents to the most recent OpRisk & Compliance Intelligence survey say they believe it is important for their own firm to converge or better co-ordinate risk and control activities.
However, results from the new survey, sponsored by consulting firm Ernst & Young, show that executives are struggling with the implementation of this improved convergence because of existing silos of activity and of budgets.
Chris Richardson, a consultant in the risk advisory services group at Ernst & Young in New York, says the need for convergence now does not mean risk and compliance programmes were poorly implemented to begin with. "It is more a question of timing," he says. "I think the volume of regulation has slowed down slightly over the past six to 12 months, and consequently people have been able to sit back a little bit and see what they have ended up with."
Richardson says the people in the industry he is speaking with are also moving beyond just trying to bring together their Sarbanes-Oxley and operational risk programmes – integrating the risk control self assessments of these two initiatives was at the forefront of the convergence trend. In fact, Richardson says his consultants have gone into firms where there has been a range of between 20 and 50 different risk control self assessment programmes operating simultaneously.
"People are taking a bigger step back now, and saying it's not actually just operational risk and Sarbanes-Oxley where there is maybe some duplication of effort or overlap in the framework," says Richardson. "It's broader than that, maybe we need to converge some of these risk management activities to become better providers of quality risk information, and at the same time become more efficient where we can."
Indeed, some 50% of respondents to the survey indicated that one of the main challenges their organisation is facing within its risk management and regulatory compliance programme is "growing risk management process fatigue, expending significant time and cost to comply with risk requirements". And 52.2% say the "desire to properly align risk metrics", including definitions, measurements and reporting, is a challenge within their firm.
However, financial considerations are also driving the need to slim and focus risk and compliance initiatives. Nearly 57% cited the "increasing need to drive hard business benefits from the significant investment in regulatory projects" as a challenge facing their firm. Meanwhile, nearly 56% said the increasing costs of systems, processes, and staff to manage and report risk was a challenge for their firms.
But whatever the reason, convergence seems to be in the air at the moment. "There seems to be a drive to get people to collaborate a little bit more across the traditional risk and control silos, so we are seeing in a number of institutions a desire to bring compliance, operational risk, Sox, audit, and information security people into a room together and actually be very open about how they do things, where they are doing it, and trying to identify the overlap," says Richardson. "There seems to be a spirit of this in the industry."
But actually implementing a convergence programme is not easy. Almost 40% say the absence of executive sponsorship makes implementing a convergence programme a "challenge" or "very challenging". Indeed, nearly 28% said a convergence programme in their organisation is likely to be sponsored by the chief risk officer – who while a part of the senior management team, isn't able to give the broad mandate a chief executive officer or the board of directors can give. The survey showed that some 16% of firms would have the CEO as the sponsor, while another 16% would have the board of directors as the sponsor.
Connected to this is the fact that nearly 60% said the need for joint development and buy-in from all affected lines of business was a challenge or very challenging at their firm. Without the "tone from the top", firmwide programmes such as convergence are much more difficult to implement.
Communication is also a problem, with some 51.1% saying there is a need for improved communication and clear messages about their firm's convergence programme. Other key problems include the lack of flexibility in organisations and their resistance to change. "When you look at the survey, people are saying it's difficult to communicate a clear message to internal sponsors and stakeholders," says Richardson. "I think part of the problem is that only part of the solution is being communicated at any one time. People haven't taken that big step back and tried to embrace the true principle and the opportunity. There is too much ownership of the current process. People are reluctant or fearful of what might happen to their world, and without the sponsorship from the top it makes it difficult to convince everyone that this is a beneficial play for them."
Respondents certainly see the potential benefit of a convergence programme. Some 73.6% say they believe that an improved quality of risk information will be one positive outcome of a successfully implemented risk convergence programme. And nearly 62% say they would expect to see a more comprehensive, enterprise-wide view once a convergence programme is in place.
But many firms are not very far along in implementing their convergence programmes. At nearly one-quarter of firms, only ad-hoc discussions have taken place. However, nearly 16% of firms were able to report that work on a convergence programme is taking place firm-wide, while at 13.3% of firms, work is in progress within specific areas.
Richardson says that in some cases it might make sense to use existing business process improvement frameworks to drive forward the convergence programme. "In operational risk, six sigma is a phrase that is being bandied about at the moment. I don't think it is too big of a stretch to consider that there are some techniques within Lean or Six Sigma or something like that, which can help an institution gather some factual information – some kind of measure around a risk process and a common hierarchy of risk measures that brings it all together and enables you to articulate a benefit in the long term."
Incorporating a risk convergence philosophy into an organisation clearly continues to be a challenge, but it's clear that firms are buying into the value that such a programme could create.