Sunday, May 26, 2013

Should Risk & Compliance Stay under the same Umbrella


As part of the effort to run a successful business, organizations have to manage the risks to business operations with an eye on strategic plan. Requirements to ensure compliance are another component of the company’s risks. However, in some businesses, compliance functions saying that they never talk to their cousins of Risk Management, what are ideal reporting lines for risk and compliance, should they stay under the same umbrella?




1. Compliance Maturity

Compliance Management covers all (relevant) laws, regulations, internal standards and policies (including the Operational risk policy). It stands to reason to assume that the laws, regulations, internal standards and policies imposed on- or adopted by a company are the source/ starting point for the definition of any underlying (operational and system) process to remain compliant. 

  • Compliance is typically (at average maturity) an inward, detail focused function. Ensuring and overseeing compliance is an essential part of governance body, but it’s largely as a means to 'preserve value', rather than to 'create value'. Compliance obligations is mostly unrewarded risk, something you have to do and keeping the regulator of your back to ensure your business maintain its license to operate. Evaluating risk for compliance obligations is needed to better manage compliance programs effectively. 
  • At high maturity level, Compliance is all about looking at the outside world as well. Compliance is, or should be more than just looking at internal directives. It is also about looking at how the world and the society are developing itself. Compliance is very much a strategic issue and companies that do not recognize this are blindfolding to a great extend. Now even more than in the past, as the world has become significantly ‘smaller’ due to the modern social media and cross-border relationships. A good example is ‘durability’ and ‘sustainability. If the organization does not take this into consideration and advices, the Board may disregard external sentiments or external social and political developments. A good reputation is one of the biggest assets of a company and most definitely a value creator. 
  • Plus, compliance focus should more naturally shift in line with the markets viewCompliance should be in the frontline of developments to provide guidance to the business where this is needed. This also means that Compliance is not only telling the business what they cannot do, but they can also point them into the direction of alternatives and opportunities within the regulatory frameworks. 

2. Managing Compliance is a Sub-set of Operational Risk

Businesses are focused on risk management and corporate governance as a means of setting guidelines. Both are critical business functions whose responsibility resides with the board and senior executive teams to the point of liability and individual risk. Risk, at the Board level, requires a strategic and forward-looking perspective, dealing in uncertainty and - if it is to add real value - challenging accepted wisdom, 'thinking the unthinkable' and asking the unpalatable question. Sadly many companies pay the price for limiting their thinking to the short term, internal perspective. 

  • The overarching risk management program should consider compliance risk as part of the enterprise view of risks. Compliance of risk management and appropriate Operational Health & Safety (OH&S) practice is common place across business to be seen & acting simultaneously. There seems little point of establishing risk management policies & processes and having no cultural penalties or disincentive if the processes and mitigating risk strategies are not implemented across the business. There are companies that focus on compliance, the heavily regulated companies for obvious reasons however if that is their only focus or primary strategy they can miss risks that might be pretty obvious to someone else. 
  • The challenge is ensuring that the people authorized to make decisions on behalf of the company are able to view the organization and the risks to the organization holistically. There needs to be a balance and thoughtful approach to manage the risks that could interrupt or negatively impact business, which includes compliance risk.  Organizations get into trouble when they focus on compliance, because a compliance-focused GRC program could also be reactive and backward-looking. "Making the regulators happy" frequently _does_ turn into window dressing, many regulated organizations follow that path only to suffer a loss due to risks not adequately addressed by compliance-focused risk management. 
  • Risk is a topic for the full board - not only to identify and address key risks, but to understand and convert the best of them to opportunity (the creative cousin of risk) for new initiatives and progress. At an operational level, the management of risk does usually align well with the compliance function. But the role of the board is not just about 'risk management': directors are here to provide 'risk governance.' 

3. Balance the “Four Eyes” Checks & Co-operation between Compliance & Risk Management

The debate point is upon how to make compliance and risk management work more effectively, how do they cover the areas that cross over? How well do they cover the gaps? Can you really understand the risks in a solution if you don't understand it from end to end? How to strategically align compliance as part of the overall process to manage risks?

  • Separation of the Risk and Compliance functions in most organizations should provide the necessary "four eyes" checks and balances to optimize risk mitigation within a firm. The Compliance function often reports direct to the firm's governing body, whereas Risk goes in to the board via C-Level executives (depending on the size and complexity of the firm). As Risks and Compliance Management typically require different skills and mind-sets. This does not mean, however, that there should not be close co-operation between the two areas. Unfortunately, at this point in larger organizations, power politics and point scoring often get in the way of common sense and what is best for the organization! They usually claim that compliance and risk are working side by side but in fact, they sometimes act as each other’s biggest internal competitor, trying to dominate each other in the chain of command and hierarchy 
  • Utilizing the Risk Management processes at its core and running through all activities whether by the compliance function or the businesses. It is going down well, also by leveraging the risk management process the level of evidence, and reporting be required by regulators these days should also be facilitated without extra processes. It is such a large area of risk that most companies have a group dedicated to it, which may create the impression that it is somehow a separate discipline, but it isn't. It's just one risk area that is large enough that it justifies dedicated staff. While the reporting lines could certainly be aligned, there is a definite need and benefit for a dedicated compliance staff because these folks represent very specific subject matter experts, whereas your risk management staff may be more generalists. 
  • Risk and compliance should work really closely in order to create value. Many have been advocating integrated GRC for years. Integrated GRC includes more vital business perspectives, each providing a check and balance on the others, two disciplines require to different set of specialism and depending on how much regulated an entity is, it may require the functions to operate independently although the risk issues should be addressed jointly in one Risk and Compliance Committee as compliance do have an impact on strategic matters. More important, they should use the same (risk) methodologies and talk the same language. Failure to comply with any operational process is in the bigger picture primarily a failure to comply with the operational policy from which the process (in the end) is defined.        
Therefore, there’re pros and cons for Risk and Compliance get merged completely, but isk management and compliance are as closely linked as they need to be under the GRC umbrella. 





0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More