Sponsored feature: MEGA

megalogo0611

Governance, risk & compliance (GRC) programmes were initially regarded as added, unnecessary expenses that didn’t drive real business value. These original GRC efforts were primarily focused on financial objectives and often exposed a ‘just to pass’ culture towards regulatory compliance. Since those early days, organisations have realised that identifying and controlling risks makes the company stronger. Corporations recognise that increasing transparency of operational processes and risks is a responsible approach to protecting them from costly hazards and creating added value.

GRC, when treated as a holistic endeavour, helps govern companies by reconciling financial objectives and business strategy with operational tactics and execution. It provides reasonable assurance that risks are fully identified, monitored and managed so they are controlled in the way that best meets corporate goals and policies.

This new approach to GRC reinforces operational governance as a complement to financial governance. Combining the two is the best way to improve decision-making in the risk environment and ensure better long-term performance.
This article discusses how operational governance strengthens GRC programmes in a sustainable way. It focuses on three steps to implementing a programme to create true visibility into a company’s infrastructure and effective operational risk management (ORM).

ORM is back in the spotlight for financial institutions
As major businesses experienced operational crises in recent years, it came as a wake-up call for many institutions to change the way they managed operational risks. These events showed the need to have a comprehensive understanding of risk exposure across the organisation. They also revealed how difficult it was for institutions to have a clear, integrated view of operational risks because information and data in business lines were usually siloed, with little sharing.

Prior to the economic crisis, ORM was addressed in some regulation. Basel II defined how banks were to guard better against risks and established ORM as a fundamental requirement. However, financial institutions didn’t dedicate substantial resources to ORM because their primary goal was to address financial risks.
Knowing the economic crisis was caused not just by financial breakdowns, but by failures in operations as well, companies are slowly realising that ORM initiatives are essential for success.

Compliance and ORM initiatives, as integral parts of GRC programmes, can be considered an investment opportunity that provides better corporate transparency, accountability and financial security, not a costly constraint.

Better ORM requires effective operational governance
There have been several recent examples of multi-million dollar losses brought about by operational risk events. These include a $126 million loss from theft and fraud at a US bank; a $100 million loss due to transaction capture, execution and maintenance practices at a Scottish subsidiary of a British life insurance and pensions company; and a $70 million loss caused by improper business practices at a leading Swiss bank. These events raise serious questions about the effectiveness of the supervision and execution of controls by institutions.

Companies often react to losses – or the fear of losses – by implementing more controls than are necessary or appropriate, just to make sure that an event doesn’t occur. While adding controls may prevent a future loss, the cost of excessive controls may be too high in relation to the risk, especially if the ultimate goal is improved business performance. In addition, controls may decrease the flexibility and agility necessary to meet business challenges.

The real challenge is implementing the right level of efficient and effective controls to manage operational risks and maximise performance within the boundaries of legal restrictions and risk thresholds. It is a balance between what is necessary and what makes the most sense.

Part of the challenge also involves recognition that, even with the right level of risk policies and controls, people within the organisation might not follow recommended actions because they aren’t aware of them, don’t see the benefits, don’t understand them or are not trained properly.

A thorough and comprehensive ORM programme requires a strong operational risk methodology to define the company risk profile. This demands a strong understanding of company processes and operations. It is this clear view across the company that will provide all stakeholders with the information they need on ORM policies, accountability and execution requirements.

Operational governance is centred on key operating decisions made by executives and managers and follow-through on the execution of policies. It presents a framework for managers to improve how decisions are made and carried out, and contributes to better ORM. Including operational governance in GRC programmes allows the company to adjust processes and transformation operations, as well as anticipate future events and manage issues that can result in unforeseen risk.

Operational governance is based on comprehensive understanding of the organisation
The first step in establishing an operational governance programme is obtaining a firm understanding of the company and a clear view of organisational roles, responsibilities and ownership as a way of clarifying accountability. This demands enterprise-wide knowledge, which can be delivered by a business process-based approach.

This type of approach to operational governance provides clear understanding and true knowledge of the company structure, providing managers with a complete view of the way the organisation runs. It offers the added benefit of the company accounting for variables, employee actions, the impacts of new projects and other important factors.

The next step in establishing operational governance is to define policies and describe them as specific processes and operations, and include them as an integral part of best practices. Once again, the understanding of business processes and operations facilitates the development of an approach that is fully aligned with goals, and easily adopted by stakeholders.

Finally, in operational governance, communication is essential. While policies may be defined, if they aren’t clearly communicated and understood, the problem of failed execution may still exist. The final step is to communicate the policies and then monitor and evaluate whether – and how well – they have been completed.

Step 1 of implementing operational governance:
Roles, responsibilities and ownership
Operational governance starts with clearly defining roles, responsibilities and accountability. This establishes who is responsible for which decisions and the role corporate and business unit executives play in the process.

Support for operational governance begins with the board of directors and is transmitted to all levels of the organisation through education and communication. The board sets up the enterprise’s financial targets and defines the mission and fundamental objectives, as well as the risk appetite and risk management strategy.

While roles and responsibilities for risk, control, audit and compliance functions may differ slightly from one company to another, business line managers must be integrated into this process in all cases. Managers are expected to improve risk and control self-assessment for their departments, and align with the overall risk management strategy. Then, they must monitor the process to ensure that policies are followed. With a responsible, accountable, consulted, informed vision – known as RACI – managers are accountable for risks and for creating action plans to monitor and mitigate them. This group must include risk management as a key element of their job and develop a risk culture and awareness among their employees.

The board must ensure that all accountabilities are met as defined. They and the risk, compliance, audit and control functions, and business line managers, must work in close collaboration to ensure sound decisions.

Step 2 of implementing operational governance: Policies and practices
Operational governance programmes define and formalise a company’s policies, or how it needs to work in relation to its objectives. These programmes set out how to communicate these objectives, along with practices and knowledge.

Shared and centralised policy information is a foundation for operational governance. This essential information must be accessible throughout the organisation to eliminate the problem of siloed groups operating on their own. Typically, GRC programmes rely on a common information repository to centralise and provide widespread access to consolidated and up-to-date information. This ensures a comprehensive approach to operations, completing the value chains owned by managers.

A clear definition and transparent communication of policies and procedures with employees and stakeholders ensures that operations are aligned with strategies and objectives. It is crucial that employees understand what managers and corporate policies require, and their understanding is validated. It shows whether the company has successfully provided the knowledge that individuals need to execute properly.

Step 3 of implementing operational governance: Communication
For operational governance programmes, communication is essential to continuously providing up-to-date and relevant information adapted to ongoing business needs.

A focus on risk perception, attitudes, behavior and communication ensures the accountability of everyone in the company. While people may understand policies and procedures, it is important to make sure that they know how to carry them out properly. Clear deliverables and collaboration processes have to be defined in relationship with stakeholders to make sure that the communication is effective and appropriate for business users.

Companies with operational governance programmes typically provide a continuous training programme to ensure that the entire workforce is educated about the importance of ORM. GRC programmes help facilitate this through training, where surveys and testing can objectively measure how well policies are understood and adopted.

Effective and constant communications programmes help to reinforce collaboration. The easier it is for individuals and groups to work with each other, the greater the enterprise benefits. With a united workforce, risks can more easily be identified and managed.

Conclusion
GRC is still evolving from a regulatory must-have that is only viewed as a cost centre to an important initiative to a system that delivers real and sustainable value to the organisation. With the focus on risk management extending from financial governance to operational governance, companies can gain valuable tools to identify and minimise risks.

By ensuring that corporate policies and practices are well-defined, communicated and understood, an operational governance programme improves decision-making, joins all stakeholders together into a business-driven collaboration and creates an enterprise that is strong and focused on the future.

Click here to view the article in PDF format

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here