GRC Roundtable: Getting the edge


Do you view your current governance and reporting requirements as too complex and, if so, what are your areas of greatest concern?

Angela Isaac, Fannie Mae

What creates complexity is if we allow our various areas of information gathering - compliance, Sarbanes-Oxley (Sox), operational risk and the other operational risk functions - to all operate as independent silos. The minute we operate independently, we create an artificial distinction in the information we're collecting and reporting, and we run the risk that we're confusing people by virtue of cataloguing things as compliance information versus operational risk information. What can get really difficult with operational risk information is when we start saying there's operational risk information and there's fraud and business continuity, as though these were independent elements.

Sean Moore, Lehman Brothers

When we were setting up our operational risk framework in a sophisticated manner, I'm happy to admit I got it wrong. It was an interesting lesson. We tried to set up a global operational risk-steering committee and it was a waste of time. It was false, it was made up and people were pained to come along. It seemed to have a lot of duplicity. When we went back to the drawing board, we turned around and looked at what corporate governance we already had in place. We already have an operating exposures committee at the firm that is made up of the firm's executive, which is the heads of each of the divisions, and the chairman, the president, the CRO and the CFO. Learning from that lesson, we've put a series of divisional level structures in place. Some of those were operational risk specific, particularly in our capital markets businesses, and our equities and fixed-income trading. Then, in some of our other business, such as asset management, they already had very well-established and controlled risk committees broader than operational risk, so we integrated ourselves with those.

S Ramakrishnan, Reveleus

I think the opportunity to integrate through overlapping areas of risk, the notion of Sarbanes-Oxley and the notion of the artificial silos are exercising the minds of many companies today. I don't believe anybody has a firm answer as to how all of this will be done, but there is a fundamental understanding of the commonality that seems to have emerged both in the front-to-back sense and in the functional silo sense. We are seeing at least three types of overlapping capability that people are seeking to reduce into a common set of practices, leading to a common measurement approach. That's the big picture emerging in parts of the world today. We're seeing ambitious programmes coming about in that area, but it still doesn't answer the key question that you have raised, which is: 'What are the organisational arrangements required for that class of convergence to actually come about?' I don't think there is a firm answer to that at this time. I think it's experimentation that's going on.

Do you feel you have an adequate level of insight into your institution's real corporate risk across all operating units and, if so, why? Is there anything you would like to add to your discussion, given that it's not just about new businesses, but also about existing businesses and how you get people to communicate and understand what is going on and driving those businesses?

Jane Carlin, Morgan Stanley

I'd have to say, without sounding too pessimistic, that the short answer is no - I don't think we have a sufficient level of insight into corporate risk. Part of the challenge that I'm describing, and I remember being challenged by this as a lawyer and I'm certainly challenged by it in this role, is extrapolating from business goals and budgets and ways in which the business is looking to grow - what the corollary involvement of risk management is or should be in that respect.

Ramakrishnan: This is very interesting, Jane, because we see the new business development and, certainly, new product introduction almost as a side activity when we introduce new lines of business. What's interesting is the natural synching of the normal business planning activity with the related appetite for risk, and the assessment of that as the business planning activity is going on. Is that something you believe is practised or expected to be practised?

Carlin: I think it is in pockets. I think it's person-dependent to be perfectly honest. By the way, I think it's equally true for maturing businesses. If you look at subprime as an example, this wasn't a new activity. This was an activity that had begun to dominate a market. Where it had historically been a small component, now it was suddenly everything. I think that emphasis, and concentration and derivation of revenue from that space all contributed to the explosive conclusion.

Isaac: I think we sometimes fool ourselves in our companies that risk is managed in discreet pockets, such as a new product approval committee, which most of you probably have. It's a continuous process. Products evolve and management is required to make choices as products evolve - become more successful or are challenged in the market. I think for operational risk and compliance to be effective we have to have an understanding at management level of how to evaluate those risks and not expect them to be discreet exercises. That's why, when I was originally asked this question by Ellen, I had very mixed feelings about answering it. You don't know what you don't know and you can get surprised by things that are out there. Ultimately, my question is more: 'Does my manager really understand the operational risk they are taking?' Do they feel equipped to identify those risks? That's very much the role I think I have to play at the corporate level - giving them the equipment, tools, capability, education and information that positions them to make those choices.

Is the cost of compliance, risk and surveillance fully understood across all operating units and, if so, how have you achieved this?

Isaac: Documenting it. Going through our restatement recently, it was an important acknowledgement of what the cost is to correct activity and to ensure you have an effective control framework in place. Also, building a risk management team, and getting an understanding of what needs to be done with an organisation initiating risk control self-assessments and establishing incident collection. There's a very acknowledge awareness of what the cost is. For me, the question is really around: 'Where is the value?' When we start focusing on the cost of introducing these kinds of programmes, they become expense carriers that then start being justified away, if there really isn't any management value that is seen as derived from it. Part of what we do, or what we are working towards - it's somewhat aspirational at this point - is to link more carefully the effectiveness of a control environment, the effectiveness of appropriate risk management practices, to what judgement was exercised and what benefit was gained from that, either through loss avoidance or, not necessarily correct, but better choices being made. One of the things I advocate strongly is linking the risk management function to the value creation of the organisation and why better judgement leads to more effective risk taking.

Moore: I think that's interesting. I think a lot of firms, particularly in New York, have been very outspoken about the cost of compliance with such things as Sarbanes-Oxley. In the operational risk space in particular, we are talking to senior management about why, how and when we're doing this. I've never once mentioned the advanced measurement approach to them. They know that there's the SEC and the FSA that they need to be accountable to and they will be asking questions. We are doing this as a firm because we want to be sophisticated and thoughtful about this and to build a model, a framework, around what we think is the best practice for our firm.

Ramakrishnan: We are finding that both compliance and operational risk are there throughout the organisation, they are there inside your lines of business, and especially the enforcement aspects have to be performed in the operational function. I guess the bigger question is: 'Has this all become part of our lives so it doesn't get called out as an incremental expense or is just that the Sox-like incremental regulatory burden is the most visible end of the compliance cost or the operational risk cost?' Where I would really like to segment this question is: 'Where is that visibility and pain most manifest at this time and are people doing it grudgingly or is it understood as best practice?' It's a question being answered by a question, but I would ask the audience if they have any thoughts around the prevalence of regulations as a pain point driving this cost.

Has your institution taken measures to consolidate governance risk and compliance platforms to reduce costs and, if so, how?

Moore: Interestingly, it's perhaps the wrong answer or the answer people don't want to hear. We have spent a lot of time and energy in operational risk making sure we are a risk management function. We're not a compliance function and we're not an audit function. I think we are very thoughtful about what internal audit and compliance do. We absolutely use their information. Our risk control self-assessment, for example - my colleagues in corporate audit do a terrific job doing their risk self-assessment. It's a wordy kind of process but it's very good. We'll steal that; we'll use their information when it's available and when we think it's good - and it is, so we'll take it. But we are not trying to integrate with them at all.

Isaac: I don't necessarily focus on the platform so I guess my answer is no as well. It's more about the information collection and it's largely out of respect for our business partners who can't afford to be hit by the same question by five different groups. Mainly out of ensuring that the question does get answered, that the information is reliable, valuable and consistent, we've cooperated in setting up a single risk control self-assessment process for compliance, operational risk and the various risk specialities, such as business continuity, that would routinely go to the business unit to assess, for example, the classification of its processes for continuity purposes. We've rolled that into a single exercise for the business managers, so when that assessment is complete, they have satisfied all of the information requirements for compliance in the other groups.

Carlin: I think our answer is yes. We have integrated technology and information across Sarbanes-Oxley, compliance, operational risk and internal audit, and have had each of those groups, including our group, populate central data libraries at the firm that we find are very helpful in horizontalising analysis, extracting reports - so you can slice and dice much more easily and take what you like. It's sliced and diced along everything from Basel risk categories, to business lines, to functional areas. We have all the incidents in there now and, in fact, we're populating the action plans that correspond to major remediation milestones and such. We're all very happy that we bit the bullet but it took a ton of work and the technology was the least of it. It was really the data migration, cleansing and harmonisation. It required that we developed firm-wide vocabularies and taxonomies around what constitutes a critical, high, moderate and low risk and all that stuff and getting audit to change its process, literally, to comply with firm-wide conclusions around 'is it 4 by 6, or 3 by 7, or 2 by 2?'

Ramakrishnan: We are seeing the strong emergence of this, especially in organisations that have an entrenched, multiple-siloed process. I think the common vocabulary is the primary driver and cost is a driver. We are seeing a duplication in exactly the way Angela mentioned, which is that people are being asked to do the same thing again and again with mildly different shades of questioning. Because of that driver, the next question is asked: 'Is the technology also duplicated?' And then, of course, the end issues of converged metrics and a common aggregatability of numbers, which to our mind is really the three levels of reasoning for this question. We are seeing many organisations bite the bullet so to speak and move this ball forward.

Is your financial institution approaching governance risk and compliance strategically and, if so, why and how?

Ramakrishnan: This is a simple question to the rest of the panel and to the others gathered here. Are we seeing operational risk and compliance come together organisationally to a common head, as one mechanism for that type of strategic convergence? From a metrics perspective, in terms of convergence of metrics and systems, and of people and cultures, another area that we have discussed, is it finally leading to any class of commonality from an organisational, structural perspective? Or are the lawyers running compliance and are the risk people running ops risk?

Carlin: I see a lot more interaction, certainly, and I see a lot more sharing of issues. I'll give you an example of something I'm working on right now. I'm working on a documentation sort of gap analysis, focused on particular credit counterparties where there isn't enough transparency about what the agreements say, what would happen if, and how would we proceed to mobilise around that situation. Historically, the firms have been very good at scanning documents but not terribly good at analysing them in all cases. The lawyers who support the businesses and are responsible for the documents directly are participants in that process, but I see op risk really in a unique nexus point within the firm because we're talking to everyone - all the businesses, all the support areas. We have a real opportunity to establish ourselves as leaders - though leaders and remediation leaders - in a way that brings folks together, and it doesn't have to happen organisationally.

Moore: I'm not seeing any convergence with compliance and operational risk and I don't expect that to change. I am seeing convergence with my colleagues in market risk and credit risk, increasingly, as we are looking at some of the big-ticket items; the items where you can lose the $100 million - they seem to be more collaboratory with my market and credit risk colleagues. I think we're also seeing increased alignment with finance, particularly the product control and financial reporting people. That's not to say there's not a lot of information sharing with compliance and audit. That's kind of how I see us.

Carlin: Do you report to the chief risk officer?

Moore: I do.

Carlin: I do as well.

Isaac: As do I. I think it depends on the area where there are natural opportunities when you combine people. Integration shouldn't be done just to get people to report to the same individual. To Jane's point, the cooperation element is probably more effective and more valuable than jacking up the responsibilities of the chief risk officer.

Carlin: I do think we've been a tremendous influence on market risk. I really share that comment. I had a senior market risk professional come up to me recently wanting to talk about outstandings on complex trade reviews. After almost fainting, I was really struck that, two or five years ago, I don't know if this guy would have even known there was a CTR process, even though he was enormously dependent on that reconciliation from a market exposure perspective. He never really understood that. With today's eyeglasses on, they really get that joke.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here