Financial firms need to goback to basics

The concept of governance, risk and compliance has evolved in reaction to increasing regulatorycomplexity and change. But, as Ellen Davis points out, it’s complexity and change that threatenGRC initiatives at financial firms, and simplicity might be the key to GRC success

Governance, risk and compliance(GRC). It makes sense to havea unified approach to how afinancial services firm operates, but it isamazing how such a simple concept can beso difficult to achieve.
The first hurdle that many firms that wishto implement a GRC framework complainabout is the existing regulatory or supervisorystructure that they have to contendwith. In the US, for example, many financialinstitutions have to deal with a rangeof different regulators as a result of thatcountry’s patchwork of state and nationalauthorities. Different supervisors overseedifferent bits of an organisation, and thenthere are other interested parties as well.The situation doesn’t get much better inEurope, where there is a patchwork of countries,and a much higher pain threshold onthe regulatory front – so even if there is onenational regulator for financial services, oftenfirms are dealing with a large number ofregulatory entities across their business. Andthose regulators can ––be very demanding– for example, consumer-protection legislationin many countries is fairly onerous.
On top of the supervisory structure, ofcourse, is the wave after wave of new legislationand regulation that financial servicesfirms have to contend with. Beforethe current credit crunch hit, it seemed fora brief moment that the longed-for hiatushad finally arrived. But now hundreds ofpages of navel-gazing have been producedby various national and international regulatoryauthorities, and as a result firms arebracing themselves for the onslaught of‘Son of Sarbanes-Oxley’ – perhaps severalsons, across a range of issues that have cometo the fore as a result of recent events. Thereis tremendous political pressure on governmentsto ‘do something’ to prevent a reoccurrenceof the credit crunch, and also topunish the banks. Justice must be done.Of course, in some ways, the concept ofGRC was created to tackle these very issues– regulatory complexity and change. Oneof the core ideals of GRC is that complexityis managed so that supervisory evolutionbecomes part of day-to-day business.But at the moment, there is every dangerthat complexity and change may swampnascent GRC initiatives at firms. This mustbe guarded against.
The next challenge that firms face is thedifficulty in getting senior managementbuy-in to the GRC religion. One wouldthink that an initiative that would ultimatelyreduce costs, improve transparencyand communication, and upgrade thefirm’s risk management capabilities wouldbe something that senior management –and indeed boards of directors worldwide– would be queuing to subscribe to. Sadlythis is often not the case.
Partly, this is because these top-levelexecutives have been hurt before by large,happy-sounding initiatives. Think aboutall the billions of dollars that have beenburned on the altar of enterprise-wide riskmanagement (ERM). And yet one of theroot causes of the credit crunch was apparentlythe lack of an enterprise-wide view ofrisk at many firms.
In large firms, the bigger the initiative,the harder it is to keep it on track and underbudget. Also, maintaining the interest andenthusiasm of the rank-and-file who areimplementing the changes is tough – butmore on that later.
And so many ERM attempts have resultedin rump reports, which no-one can rememberhow to construct; head count inflationsfollowed by deflations; and confusinganalytics based on suspect data, which seniormanagement and the board have difficultyunderstanding, let alone knowing how toact on. Is it any wonder that GRC is greetedwith cynicism in some quarters?However, senior management and boardlevelsupport is crucial if a firm is going toeffectively implement GRC – time and timeagain studies show that the message at thetop matters. Without it, GRC is doomed to be another one of those initiatives thatadherents get passionate about with aslightly disturbing intensity, but whichanyone outside the implementation groupviews as slightly bizarre. Think Six Sigma– while many acknowledge the intelligenceof its approach, they recoil at the gimmickybuzzwords, expensive training and the insularitythat many of its implementation teamstend to develop. These kinds of initiativescan become dumping grounds for internaltalent that ‘no longer has a home’, the placewhere people who are being ‘managed outof the business’ more gently than others arehoused. No-one really takes the project seriouslyor thinks it will gain traction.
But, GRC is different. It’s different becauseit’s not a ‘like to have’ any longer – it is a‘must have’ for financial services firms. Andthe sooner senior management and boards ofdirectors understand this, the better.How? The world’s regulators must geton the GRC bandwagon. Until now, theregulatory push for GRC has been limitedto a few isolated supervisors scattered acrossthe globe. Now, post credit crunch, theyare less in need of a weighty tome of newdictates and more in need of a philosophy.GRC is it. It embodies all that regulatorsreally want firms to accomplish – improvedgovernance, risk and compliance – and it isbusiness-friendly to boot.
Some new rules will be needed as a resultof the subprime debacle – liquidity riskrules spring to mind – but really the sumtotal of the lessons learned from the crisisfor most firms is that they are simply notdoing what they already do, well enough.Firms don’t need new principles or guidanceor inspections or whatever. They needto get their act together, take GRC seriouslyand get the basics right.
GRC – back to basics. I like the soundof that.
So my plea is that regulators read thefollowing pages, which contain muchgenuine thought leadership on the subject,and think – how can we help firms get thisstuff right?
Given this unified guidance from theregulatory community, senior managementand boards will swiftly begin to sing fromthe same hymn sheet – not only because theyhave to be seen to comply but also becauseit makes sense to. But for this to work, theregulators must make GRC a ‘mood music’that permeates everything they do and say.Which brings me to the final majorobstacle of GRC implementation – businessunits. Gosh they can be tricky – the businessunit has the ultimate weapon, it voteswith its cheque book. At the majority offirms, risk and compliance executives haveto go with their begging bowl to businessunits for funding for any new initiatives.Hence the reason why credit and marketrisk are so lavishly funded relative to operationalrisk and compliance issues.
Who wants to spend on a fancy newcompliance monitoring system if it meansyour bonus will be reduced for the year,because the new system spend will affectyour division’s profitability? No-one.There are two points here. First, seniormanagement, boards and regulatorsmust alter the way they approach changemanagement in firms. I’m a firm believer inthe capitalist system, but there is a significantmismatch in firms between decisionsthat are taken at the top of the tree forthe greater good, and the funding of theimplementation of those decisions. GRC isneeded for the greater good of firms, and soat least a portion of the initiative should befunded from the top. Instead of having tobeg for co-operation, risk and complianceexecutives should be given a kitty of moneythat they can spend on improved systemsand controls for business units that are cooperativeand GRC friendly. The culture oforganisations should change so that GRCis seen as a potentially profit-enhancingbonus to compete for. Business units thatbuy in should be awarded and praised andgiven one-off bonuses.
The second point is related to this. A lotof hooey has been spoken about the lack ofalignment between the risk shareholders of abank face and the risk of a 25-year-old CDOsalesperson who gets giant annual bonusesand then resigns before the paper all headssouth. It’s an obvious point in hindsight.This culture has led to a lack of willingnessby business units to invest in GRCtypeprogrammes. Given the events of thepast 10 years – how many 100-year eventshave firms in Wall Street and the Cityexperienced? – frankly GRC products andservices should be flying off the shelves. Butwhile trade is brisk, it’s not built to the kindof frenzied hysteria that we saw, for example,around Sarbanes-Oxley deadlines.
Business unit heads, and those underthem, must also have their compensationpackages adjusted so that they are rewardedfor decisions and investments that willbenefit the business, the firm and the shareholderover the longer term – so that investmentin GRC makes sense for them in thehere-and-now, and the benefits are tangiblein the standard year-long time framewithin which their compensation deals areusually structured. With those kinds ofincentives for decision-making, GRC willrapidly become embedded in organisations,to their longer-term benefit.
In conclusion, it is essential that regulators,senior executives and business unit heads allgrasp the nettle – recent events are a wakeupcall. But for there to be a sea change inthe way GRC is regarded, there needs to be achange in how it is regarded across the entirefinancial services framework.
If there was ever a case for change, recentevents have provided it. I’m hoping that thechanges that are made will be for the best.They need to be, and GRC needs to be a bigpart of them.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here