Convergence is key

Global companies are elevating to mission-critical status the need to converge and better co-ordinate risk and control activities, according to a Risk Convergence Market Pulse online survey conducted by Ernst & Young and OpRisk & Compliance. Of the 92 organisations surveyed, 84 report that these tasks are now 'imperative' or 'very important'.

Despite near unanimous agreement about the necessity of convergence, there remains some debate as to why it is so important. Nearly all respondents (97%) believe improving the quality of risk information is the driver, followed closely by providing an enterprise-wide view of risk, clarifying roles and responsibilities, and managing costs. Half the companies surveyed go on to cite growing risk management fatigue and the need to expend significant time and money to comply with risk requirements as frequent issues and challenges within risk management and regulatory compliance programmes.

Given these myriad responses, it is not surprising to find organisations citing the chief risk officer as the most likely sponsor of convergence and co-ordination activities, followed closely by the board/chief executive officer.

Chris Richardson, a senior manager in Ernst & Young's financial services risk management practice, advises companies that there are some fundamental operating model considerations that, if employed, can improve both the quality of risk information and the underlying processes. "However, most organisations are starting from the bottom up in one area: responding to the business comments around fatigue," he cautions. "Therefore, they can lose sight of the real driver: the multidimensional provision of quality risk information across the entire organisation. This must include defining business requirements, data requirements and technology enablers across the risk management functions before initiating work." For companies to realise this holistic vision, Richardson adds, risk management convergence must be a 'top-of-the-house' decision.

Survey respondents agree that they face significant hurdles in obtaining joint development and buy-in as well as an inherent lack of flexibility and resistance to change. In fact, 57% of the respondents cite these issues as either 'very challenging' or 'challenging' as they design or implement risk management convergence solutions. Expect this trend to be exacerbated if the C-suite does not sponsor this agenda; C-level support offers a way to get people inside an organisation to co-operate.

Approximately 37% of respondents are also challenged by the need for improved communication and the development of clear messages. The business case for risk management convergence in an organisation is a very important tool – it is critical to get it right. It must articulate the vision, roles and responsibilities, and accountability of affected functions as well as state the benefits. So why is this difficult to communicate?

Historically, operational risk and compliance practioners have been focused on the measurement and management of operational risk. They have not focused on articulating the benefits of performing certain activities or identifying the positive effects of observing and analysing loss and indicator data with compliance or audit findings. But the business units are beginning to expect more value from the risk management investment, and no longer see project plans or descriptions of near misses as sufficient. These expectations put the risk management community outside its collective comfort zone. Focusing on the sole components of operational risk, compliance and information security frameworks is no longer enough. Risk practitioners need to take a step back and contemplate a new and different way of operating. But today, confusion prevails: a majority of survey respondents (52%) agree that their target operating model is difficult to define. No wonder organisations are finding the business case difficult to articulate.

Finally, respondents note that messaging to the regulatory community, while important, does not present a significant challenge. Clearly, risk management convergence aims to enhance risk management practices; it does not aim to reduce risk coverage or levels of assurance. Respondents equally support the view that risk management convergence does not require a massive re-engineering programme, reinforcing the view that most see a series of relatively smaller projects as the way forward.

Given the responses to the survey, a logical question arises: "What do I do next?" Ernst & Young's Richardson offers the following: "It is C-suite buy-in you're aiming for, so the risk functions need to collaborate as a group." Organise a working group of the key risk management/control disciplines, perhaps, to identify areas causing the organisation the greatest pain. Identify one or two key areas to focus on, and do a 'deep dive' into them to truly understand the impact to the risk and control units, and the business at large. By doing this you will be in a better position to articulate the benefits of the convergence effort in practical terms.

Understanding the benefit allows you to prioritise the sequence of enhancement initiatives and subsequently take a top-down approach. Presenting a business case based on this type of information will increase the chances of C-suite sponsorship, sufficient budget and clear ownership of a mandate for a positive change.

The results of the survey indicate that risk management convergence is moving beyond a concept to a design principle that the industry believes is important. They also suggest that the journey is just beginning.

Ernst & Young is a leader in providing audit, tax and advisory services to the banking, capital markets, asset management and insurance sectors within the financial services industry. Further information about Ernst & Young and its approach to a variety of business issues can be found at www.ey.com/perspectives.

Chris Richardson ([email protected]) is a senior manager with Ernst & Young's financial services risk management practice.